Gen.Variant.Kazy.652963_821bf29fc7

by malwarelabrobot on July 23rd, 2015 in Malware Descriptions.

Trojan-Downloader.Win32.Dofoil.brag (Kaspersky), Gen:Variant.Kazy.652963 (B) (Emsisoft), Gen:Variant.Kazy.652963 (AdAware), Backdoor.Win32.Farfli.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 821bf29fc7b9a80b084c0f4d9253c638
SHA1: d15714c46b5fb1e4db586f646720df8844317962
SHA256: 9ecd1de6d2f5ad8833f8bd62881ec690e2f3fd4c6c039f0700dfc09fad614e7f
SSDeep: 12288:PRyGZETQ7k0pW6ZijTWwO6oeIhfjCQOPfLQVRQxlp7tY75:5Fk0pWmiHX1oCzPz QxlPY75
Size: 545876 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-06-26 00:07:24
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mofcomp.exe:3692
%original file name%.exe:1004
WindowsXP-KB968930-x86-ENG.exe:1256
ngen.exe:2476
ngen.exe:2612
ngen.exe:2928
ngen.exe:2636
ngen.exe:3064
ngen.exe:3044
ngen.exe:2568
ngen.exe:2540
ngen.exe:2544
ngen.exe:2560
ngen.exe:3020
ngen.exe:3088
ngen.exe:2508
ngen.exe:2500
ngen.exe:2604
ngen.exe:2624
ngen.exe:2628
ngen.exe:3072
ngen.exe:2552
ngen.exe:2576
ngen.exe:2492
ngen.exe:2412
ngen.exe:2516
update.exe:2112
PSCustomSetupUtil.exe:3824
PSCustomSetupUtil.exe:2716
PSCustomSetupUtil.exe:3924
PSCustomSetupUtil.exe:1168
PSCustomSetupUtil.exe:2892
PSCustomSetupUtil.exe:4044
PSCustomSetupUtil.exe:1420
PSCustomSetupUtil.exe:2052
PSCustomSetupUtil.exe:2740
PSCustomSetupUtil.exe:3972
PSCustomSetupUtil.exe:3892
PSCustomSetupUtil.exe:2072
PSCustomSetupUtil.exe:2668
PSCustomSetupUtil.exe:2648
PSCustomSetupUtil.exe:2872
PSCustomSetupUtil.exe:2816
PSCustomSetupUtil.exe:2708
PSCustomSetupUtil.exe:3748
PSCustomSetupUtil.exe:304
PSCustomSetupUtil.exe:2764
PSCustomSetupUtil.exe:1596
PSCustomSetupUtil.exe:3996
PSCustomSetupUtil.exe:4072
PSCustomSetupUtil.exe:472
PSCustomSetupUtil.exe:2000
PSCustomSetupUtil.exe:3848
PSSetupNativeUtils.exe:3368
mscorsvw.exe:3948
mscorsvw.exe:3492
mscorsvw.exe:3828
mscorsvw.exe:3048
mscorsvw.exe:3672
mscorsvw.exe:2460
mscorsvw.exe:3552
mscorsvw.exe:3120
mscorsvw.exe:2348
mscorsvw.exe:320
mscorsvw.exe:3180
mscorsvw.exe:2660
mscorsvw.exe:2684
mscorsvw.exe:424
mscorsvw.exe:3764
mscorsvw.exe:184
mscorsvw.exe:2932
mscorsvw.exe:2836
mscorsvw.exe:3528
mscorsvw.exe:3560
mscorsvw.exe:3396
mscorsvw.exe:3080
mscorsvw.exe:2020
mscorsvw.exe:2140
mscorsvw.exe:2100
wsmanhttpconfig.exe:3664
wsmanhttpconfig.exe:3576

The Trojan injects its code into the following process(es):

svchost.exe:1356
svchost.exe:1288

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mofcomp.exe:3692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1068 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)

The process WindowsXP-KB968930-x86-ENG.exe:1256 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\e86a9d383afd90415e\update\update.exe (10748 bytes)
C:\e86a9d383afd90415e\about_session_configurations.help.txt (276 bytes)
C:\e86a9d383afd90415e\update\update.ver (14 bytes)
C:\e86a9d383afd90415e\about_remote_output.help.txt (887 bytes)
C:\e86a9d383afd90415e\diagnostics.format.ps1xml (590 bytes)
C:\e86a9d383afd90415e\about_path_syntax.help.txt (5 bytes)
C:\e86a9d383afd90415e\about_aliases.help.txt (6 bytes)
C:\e86a9d383afd90415e\profile.ps1 (772 bytes)
C:\e86a9d383afd90415e\about_redirection.help.txt (2 bytes)
C:\e86a9d383afd90415e\dotnettypes.format.ps1xml (266 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\e86a9d383afd90415e\wsmpty.xsl (1 bytes)
C:\e86a9d383afd90415e\microsoft.wsman.runtime.dll (33 bytes)
C:\e86a9d383afd90415e\about_commonparameters.help.txt (12 bytes)
C:\e86a9d383afd90415e\about_regular_expressions.help.txt (5 bytes)
C:\e86a9d383afd90415e\wsmsvc.dll (15909 bytes)
C:\e86a9d383afd90415e\windowspowershellhelp.chm (26041 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.management.dll (3386 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\e86a9d383afd90415e\winrm.cmd (35 bytes)
C:\e86a9d383afd90415e\winrssrv.dll (12 bytes)
C:\e86a9d383afd90415e\microsoft.wsman.management.dll (5010 bytes)
C:\e86a9d383afd90415e\about_ref.help.txt (1 bytes)
C:\e86a9d383afd90415e\pspluginwkr.dll (1756 bytes)
C:\e86a9d383afd90415e\wsmanhttpconfig.exe (3009 bytes)
C:\e86a9d383afd90415e\eventforwarding.adm (2 bytes)
C:\e86a9d383afd90415e\about_remote_troubleshooting.help.txt (146 bytes)
C:\e86a9d383afd90415e\about_wmi_cmdlets.help.txt (8 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.consolehost.dll (3118 bytes)
C:\e86a9d383afd90415e\powershell_ise.exe (2526 bytes)
C:\e86a9d383afd90415e\about_logical_operators.help.txt (2 bytes)
C:\e86a9d383afd90415e\winrsmgr.dll (2 bytes)
C:\e86a9d383afd90415e\about_try_catch_finally.help.txt (7 bytes)
C:\e86a9d383afd90415e\about_parameters.help.txt (9 bytes)
C:\e86a9d383afd90415e\about_arithmetic_operators.help.txt (168 bytes)
C:\e86a9d383afd90415e\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\e86a9d383afd90415e\about_job_details.help.txt (824 bytes)
C:\e86a9d383afd90415e\about_special_characters.help.txt (3 bytes)
C:\e86a9d383afd90415e\about_pssnapins.help.txt (6 bytes)
C:\e86a9d383afd90415e\wtrinstaller.ico (4803 bytes)
C:\e86a9d383afd90415e\about_quoting_rules.help.txt (659 bytes)
C:\e86a9d383afd90415e\filesystem.format.ps1xml (133 bytes)
C:\e86a9d383afd90415e\bitstransfer.format.ps1xml (16 bytes)
C:\e86a9d383afd90415e\about_pssessions.help.txt (9 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.editor.dll (14450 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\e86a9d383afd90415e\about_command_syntax.help.txt (5 bytes)
C:\e86a9d383afd90415e\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\$Directory (800 bytes)
C:\e86a9d383afd90415e\update\kb968930xp.cat (512 bytes)
C:\e86a9d383afd90415e\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\e86a9d383afd90415e\about_scopes.help.txt (76 bytes)
C:\e86a9d383afd90415e\about_ws-management_cmdlets.help.txt (405 bytes)
C:\e86a9d383afd90415e\about_while.help.txt (2 bytes)
C:\e86a9d383afd90415e\winrmprov.dll (591 bytes)
C:\e86a9d383afd90415e\about_windows_powershell_ise.help.txt (6 bytes)
C:\e86a9d383afd90415e\about_remote_faq.help.txt (775 bytes)
C:\e86a9d383afd90415e\about_properties.help.txt (7 bytes)
C:\e86a9d383afd90415e\about_reserved_words.help.txt (1 bytes)
C:\e86a9d383afd90415e\about_parsing.help.txt (2 bytes)
C:\e86a9d383afd90415e\about_history.help.txt (3 bytes)
C:\e86a9d383afd90415e\bitstransfer.psd1 (950 bytes)
C:\e86a9d383afd90415e\about_operators.help.txt (770 bytes)
C:\e86a9d383afd90415e\about_script_internationalization.help.txt (9 bytes)
C:\e86a9d383afd90415e\about_variables.help.txt (6 bytes)
C:\e86a9d383afd90415e\about_profiles.help.txt (457 bytes)
C:\e86a9d383afd90415e\update\updspapi.dll (5940 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\e86a9d383afd90415e\about_line_editing.help.txt (1 bytes)
C:\e86a9d383afd90415e\wsmauto.dll (1842 bytes)
C:\e86a9d383afd90415e\wevtfwd.dll (3351 bytes)
C:\e86a9d383afd90415e\powershelltrace.format.ps1xml (344 bytes)
C:\e86a9d383afd90415e\about_eventlogs.help.txt (5 bytes)
C:\e86a9d383afd90415e\winrscmd.dll (2907 bytes)
C:\e86a9d383afd90415e\wsmprovhost.exe (657 bytes)
C:\e86a9d383afd90415e\getevent.types.ps1xml (15 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\e86a9d383afd90415e\pwrshsip.dll (24 bytes)
C:\e86a9d383afd90415e\help.format.ps1xml (3947 bytes)
C:\e86a9d383afd90415e\about_modules.help.txt (13 bytes)
C:\e86a9d383afd90415e\about_assignment_operators.help.txt (379 bytes)
C:\e86a9d383afd90415e\about_functions.help.txt (586 bytes)
C:\e86a9d383afd90415e\registry.format.ps1xml (20 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\e86a9d383afd90415e\powershellcore.format.ps1xml (1492 bytes)
C:\e86a9d383afd90415e\about_windows_powershell_2.0.help.txt (453 bytes)
C:\e86a9d383afd90415e\about_requires.help.txt (2 bytes)
C:\e86a9d383afd90415e\about_throw.help.txt (5 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\e86a9d383afd90415e\update\update.inf (2457 bytes)
C:\e86a9d383afd90415e\windowsremotemanagement.adm (574 bytes)
C:\e86a9d383afd90415e\update\spcustom.dll (23 bytes)
C:\e86a9d383afd90415e\winrshost.exe (22 bytes)
C:\e86a9d383afd90415e\about_types.ps1xml.help.txt (481 bytes)
C:\e86a9d383afd90415e\about_scripts.help.txt (12 bytes)
C:\e86a9d383afd90415e\system.management.automation.resources.dll (3153 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\e86a9d383afd90415e\about_functions_advanced_parameters.help.txt (962 bytes)
C:\e86a9d383afd90415e\about_split.help.txt (10 bytes)
C:\e86a9d383afd90415e\about_objects.help.txt (2 bytes)
C:\e86a9d383afd90415e\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.editor.resources.dll (562 bytes)
C:\e86a9d383afd90415e\about_break.help.txt (792 bytes)
C:\e86a9d383afd90415e\about_if.help.txt (3 bytes)
C:\e86a9d383afd90415e\about_type_operators.help.txt (5 bytes)
C:\e86a9d383afd90415e\about_command_precedence.help.txt (8 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\e86a9d383afd90415e\about_arrays.help.txt (8 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\e86a9d383afd90415e\about_preference_variables.help.txt (37 bytes)
C:\e86a9d383afd90415e\pwrshmsg.dll (4 bytes)
C:\e86a9d383afd90415e\about_script_blocks.help.txt (3 bytes)
C:\e86a9d383afd90415e\$shtdwn$.req (788 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\e86a9d383afd90415e\windowsremoteshell.adm (12 bytes)
C:\e86a9d383afd90415e\about_transactions.help.txt (1011 bytes)
C:\e86a9d383afd90415e\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\e86a9d383afd90415e\about_do.help.txt (2 bytes)
C:\e86a9d383afd90415e\wsmtxt.xsl (2 bytes)
C:\e86a9d383afd90415e\about_format.ps1xml.help.txt (17 bytes)
C:\e86a9d383afd90415e\default.help.txt (2 bytes)
C:\e86a9d383afd90415e\update (4 bytes)
C:\e86a9d383afd90415e\powershell_ise.resources.dll (4 bytes)
C:\e86a9d383afd90415e\importallmodules.psd1 (438 bytes)
C:\e86a9d383afd90415e\about_remote.help.txt (7 bytes)
C:\e86a9d383afd90415e\pssetupnativeutils.exe (9 bytes)
C:\e86a9d383afd90415e\about_wildcards.help.txt (3 bytes)
C:\e86a9d383afd90415e\system.management.automation.dll (38414 bytes)
C:\e86a9d383afd90415e\about_pssession_details.help.txt (9 bytes)
C:\e86a9d383afd90415e\winrm.vbs (2727 bytes)
C:\e86a9d383afd90415e\about_return.help.txt (3 bytes)
C:\e86a9d383afd90415e\about_continue.help.txt (1 bytes)
C:\e86a9d383afd90415e\about_trap.help.txt (10 bytes)
C:\e86a9d383afd90415e\about_for.help.txt (146 bytes)
C:\e86a9d383afd90415e\about_execution_policies.help.txt (13 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\e86a9d383afd90415e\about_signing.help.txt (12 bytes)
C:\e86a9d383afd90415e\about_functions_advanced.help.txt (3 bytes)
C:\e86a9d383afd90415e\system.management.automation.dll-help.xml (16567 bytes)
C:\e86a9d383afd90415e\about_core_commands.help.txt (221 bytes)
C:\e86a9d383afd90415e\about_language_keywords.help.txt (11 bytes)
C:\e86a9d383afd90415e\about_automatic_variables.help.txt (14 bytes)
C:\e86a9d383afd90415e\about_locations.help.txt (794 bytes)
C:\e86a9d383afd90415e\wsmplpxy.dll (603 bytes)
C:\e86a9d383afd90415e\update\eula.txt (586 bytes)
C:\e86a9d383afd90415e\about_escape_characters.help.txt (2 bytes)
C:\e86a9d383afd90415e\about_remote_requirements.help.txt (6 bytes)
C:\e86a9d383afd90415e\about_hash_tables.help.txt (6 bytes)
C:\e86a9d383afd90415e\wsmres.dll (6164 bytes)
C:\e86a9d383afd90415e\about_foreach.help.txt (10 bytes)
C:\e86a9d383afd90415e\about_pipelines.help.txt (411 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.security.resources.dll (9 bytes)
C:\e86a9d383afd90415e\about_comment_based_help.help.txt (595 bytes)
C:\e86a9d383afd90415e\spuninst.exe (3787 bytes)
C:\e86a9d383afd90415e\pwrshplugin.dll (802 bytes)
C:\e86a9d383afd90415e\winrmprov.mof (789 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\e86a9d383afd90415e\wsmauto.mof (4 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\e86a9d383afd90415e\about_environment_variables.help.txt (417 bytes)
C:\e86a9d383afd90415e\powershell.exe.mui (10 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\e86a9d383afd90415e\certificate.format.ps1xml (155 bytes)
C:\e86a9d383afd90415e\types.ps1xml (2510 bytes)
C:\e86a9d383afd90415e\about_bits_cmdlets.help.txt (7 bytes)
C:\e86a9d383afd90415e\about_switch.help.txt (489 bytes)
C:\e86a9d383afd90415e\about_comparison_operators.help.txt (11 bytes)
C:\e86a9d383afd90415e\wsmwmipl.dll (2816 bytes)
C:\e86a9d383afd90415e\about_jobs.help.txt (12 bytes)
C:\e86a9d383afd90415e\spupdsvc.exe (287 bytes)
C:\e86a9d383afd90415e\about_functions_advanced_methods.help.txt (9 bytes)
C:\e86a9d383afd90415e\winrm.ini (1956 bytes)
C:\e86a9d383afd90415e\about_providers.help.txt (59 bytes)
C:\e86a9d383afd90415e\about_prompts.help.txt (7 bytes)
C:\e86a9d383afd90415e\microsoft.wsman.management.resources.dll (13 bytes)
C:\e86a9d383afd90415e\powershell.exe (7339 bytes)
C:\e86a9d383afd90415e\about_join.help.txt (2 bytes)
C:\e86a9d383afd90415e\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\e86a9d383afd90415e\about_remote_jobs.help.txt (13 bytes)
C:\e86a9d383afd90415e\winrs.exe (1154 bytes)
C:\e86a9d383afd90415e\wsman.format.ps1xml (837 bytes)
C:\e86a9d383afd90415e\about_methods.help.txt (6 bytes)
C:\e86a9d383afd90415e\about_data_sections.help.txt (5 bytes)
C:\e86a9d383afd90415e\spmsg.dll (495 bytes)
C:\e86a9d383afd90415e\pscustomsetuputil.exe (316 bytes)
C:\e86a9d383afd90415e\about_debuggers.help.txt (21 bytes)
C:\e86a9d383afd90415e\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.security.dll (1145 bytes)

The Trojan deletes the following file(s):

C:\e86a9d383afd90415e\windowspowershellhelp.chm (0 bytes)
C:\e86a9d383afd90415e\update\update.exe (0 bytes)
C:\e86a9d383afd90415e\about_session_configurations.help.txt (0 bytes)
C:\e86a9d383afd90415e\update\update.ver (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.utility.dll (0 bytes)
C:\e86a9d383afd90415e\about_remote_output.help.txt (0 bytes)
C:\e86a9d383afd90415e\diagnostics.format.ps1xml (0 bytes)
C:\e86a9d383afd90415e\update\kb968930xp.cat (0 bytes)
C:\e86a9d383afd90415e\about_aliases.help.txt (0 bytes)
C:\e86a9d383afd90415e\profile.ps1 (0 bytes)
C:\e86a9d383afd90415e\about_redirection.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_reserved_words.help.txt (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.gpowershell.dll (0 bytes)
C:\e86a9d383afd90415e\wsmpty.xsl (0 bytes)
C:\e86a9d383afd90415e\about_assignment_operators.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_regular_expressions.help.txt (0 bytes)
C:\e86a9d383afd90415e\wsmsvc.dll (0 bytes)
C:\e86a9d383afd90415e\winrs.exe (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.management.dll (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\e86a9d383afd90415e\winrm.cmd (0 bytes)
C:\e86a9d383afd90415e\winrssrv.dll (0 bytes)
C:\e86a9d383afd90415e\microsoft.wsman.management.dll (0 bytes)
C:\e86a9d383afd90415e\about_break.help.txt (0 bytes)
C:\e86a9d383afd90415e\pspluginwkr.dll (0 bytes)
C:\e86a9d383afd90415e\about_continue.help.txt (0 bytes)
C:\e86a9d383afd90415e\eventforwarding.adm (0 bytes)
C:\e86a9d383afd90415e\about_if.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_wmi_cmdlets.help.txt (0 bytes)
C:\e86a9d383afd90415e\powershell_ise.exe (0 bytes)
C:\e86a9d383afd90415e\about_logical_operators.help.txt (0 bytes)
C:\e86a9d383afd90415e\winrsmgr.dll (0 bytes)
C:\e86a9d383afd90415e\about_try_catch_finally.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_parameters.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_arithmetic_operators.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_job_details.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_environment_variables.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_pssnapins.help.txt (0 bytes)
C:\e86a9d383afd90415e\wtrinstaller.ico (0 bytes)
C:\e86a9d383afd90415e\about_quoting_rules.help.txt (0 bytes)
C:\e86a9d383afd90415e\filesystem.format.ps1xml (0 bytes)
C:\e86a9d383afd90415e\bitstransfer.format.ps1xml (0 bytes)
C:\e86a9d383afd90415e\pwrshsip.dll (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.editor.dll (0 bytes)
C:\e86a9d383afd90415e\about_path_syntax.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_command_syntax.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_modules.help.txt (0 bytes)
C:\e86a9d383afd90415e\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\e86a9d383afd90415e\about_scopes.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_ws-management_cmdlets.help.txt (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\e86a9d383afd90415e\winrmprov.dll (0 bytes)
C:\e86a9d383afd90415e\about_windows_powershell_ise.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_remote_faq.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_properties.help.txt (0 bytes)
C:\e86a9d383afd90415e\dotnettypes.format.ps1xml (0 bytes)
C:\e86a9d383afd90415e\about_parsing.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_scripts.help.txt (0 bytes)
C:\_353125_ (0 bytes)
C:\e86a9d383afd90415e\about_operators.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_script_internationalization.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_variables.help.txt (0 bytes)
C:\e86a9d383afd90415e (0 bytes)
C:\e86a9d383afd90415e\about_switch.help.txt (0 bytes)
C:\e86a9d383afd90415e\update\updspapi.dll (0 bytes)
C:\e86a9d383afd90415e\default.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_line_editing.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_data_sections.help.txt (0 bytes)
C:\e86a9d383afd90415e\wsmauto.dll (0 bytes)
C:\e86a9d383afd90415e\wevtfwd.dll (0 bytes)
C:\e86a9d383afd90415e\powershelltrace.format.ps1xml (0 bytes)
C:\e86a9d383afd90415e\about_eventlogs.help.txt (0 bytes)
C:\e86a9d383afd90415e\winrscmd.dll (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\e86a9d383afd90415e\winrm.vbs (0 bytes)
C:\e86a9d383afd90415e\getevent.types.ps1xml (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\e86a9d383afd90415e\about_pssessions.help.txt (0 bytes)
C:\e86a9d383afd90415e\help.format.ps1xml (0 bytes)
C:\e86a9d383afd90415e\microsoft.wsman.runtime.dll (0 bytes)
C:\e86a9d383afd90415e\wsmwmipl.dll (0 bytes)
C:\e86a9d383afd90415e\registry.format.ps1xml (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\e86a9d383afd90415e\powershellcore.format.ps1xml (0 bytes)
C:\e86a9d383afd90415e\about_windows_powershell_2.0.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_type_operators.help.txt (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\e86a9d383afd90415e\windowsremotemanagement.adm (0 bytes)
C:\e86a9d383afd90415e\update\spcustom.dll (0 bytes)
C:\e86a9d383afd90415e\winrshost.exe (0 bytes)
C:\e86a9d383afd90415e\about_types.ps1xml.help.txt (0 bytes)
C:\e86a9d383afd90415e\system.management.automation.resources.dll (0 bytes)
C:\e86a9d383afd90415e\about_functions_advanced_parameters.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_split.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_objects.help.txt (0 bytes)
C:\e86a9d383afd90415e\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.editor.resources.dll (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\e86a9d383afd90415e\about_ref.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_remote_troubleshooting.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_command_precedence.help.txt (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\e86a9d383afd90415e\update\update.inf (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\e86a9d383afd90415e\about_preference_variables.help.txt (0 bytes)
C:\e86a9d383afd90415e\pwrshmsg.dll (0 bytes)
C:\e86a9d383afd90415e\about_providers.help.txt (0 bytes)
C:\e86a9d383afd90415e\wsmprovhost.exe (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\e86a9d383afd90415e\windowsremoteshell.adm (0 bytes)
C:\e86a9d383afd90415e\about_transactions.help.txt (0 bytes)
C:\e86a9d383afd90415e\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\e86a9d383afd90415e\about_do.help.txt (0 bytes)
C:\e86a9d383afd90415e\wsmtxt.xsl (0 bytes)
C:\e86a9d383afd90415e\about_format.ps1xml.help.txt (0 bytes)
C:\e86a9d383afd90415e\update (0 bytes)
C:\e86a9d383afd90415e\powershell_ise.resources.dll (0 bytes)
C:\e86a9d383afd90415e\importallmodules.psd1 (0 bytes)
C:\e86a9d383afd90415e\about_remote.help.txt (0 bytes)
C:\e86a9d383afd90415e\pssetupnativeutils.exe (0 bytes)
C:\e86a9d383afd90415e\about_arrays.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_wildcards.help.txt (0 bytes)
C:\e86a9d383afd90415e\system.management.automation.dll (0 bytes)
C:\e86a9d383afd90415e\about_pssession_details.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_return.help.txt (0 bytes)
C:\e86a9d383afd90415e\wsmanhttpconfig.exe (0 bytes)
C:\e86a9d383afd90415e\about_trap.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_for.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_execution_policies.help.txt (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\e86a9d383afd90415e\about_pipelines.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_signing.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_functions_advanced.help.txt (0 bytes)
C:\e86a9d383afd90415e\system.management.automation.dll-help.xml (0 bytes)
C:\e86a9d383afd90415e\about_core_commands.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_language_keywords.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_automatic_variables.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_locations.help.txt (0 bytes)
C:\e86a9d383afd90415e\wsmplpxy.dll (0 bytes)
C:\e86a9d383afd90415e\update\eula.txt (0 bytes)
C:\e86a9d383afd90415e\about_escape_characters.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_remote_requirements.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_hash_tables.help.txt (0 bytes)
C:\e86a9d383afd90415e\wsmres.dll (0 bytes)
C:\e86a9d383afd90415e\about_while.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_foreach.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_history.help.txt (0 bytes)
C:\e86a9d383afd90415e\bitstransfer.psd1 (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.security.resources.dll (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.consolehost.dll (0 bytes)
C:\e86a9d383afd90415e\about_comment_based_help.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_requires.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_debuggers.help.txt (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\e86a9d383afd90415e\wsman.format.ps1xml (0 bytes)
C:\e86a9d383afd90415e\wsmauto.mof (0 bytes)
C:\e86a9d383afd90415e\about_special_characters.help.txt (0 bytes)
C:\e86a9d383afd90415e\powershell.exe.mui (0 bytes)
C:\e86a9d383afd90415e\about_throw.help.txt (0 bytes)
C:\e86a9d383afd90415e\certificate.format.ps1xml (0 bytes)
C:\e86a9d383afd90415e\types.ps1xml (0 bytes)
C:\e86a9d383afd90415e\about_bits_cmdlets.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_profiles.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_comparison_operators.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_functions.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_jobs.help.txt (0 bytes)
C:\e86a9d383afd90415e\spupdsvc.exe (0 bytes)
C:\e86a9d383afd90415e\about_functions_advanced_methods.help.txt (0 bytes)
C:\e86a9d383afd90415e\winrm.ini (0 bytes)
C:\e86a9d383afd90415e\about_script_blocks.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_prompts.help.txt (0 bytes)
C:\e86a9d383afd90415e\microsoft.wsman.management.resources.dll (0 bytes)
C:\e86a9d383afd90415e\powershell.exe (0 bytes)
C:\e86a9d383afd90415e\about_join.help.txt (0 bytes)
C:\e86a9d383afd90415e\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\e86a9d383afd90415e\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\e86a9d383afd90415e\about_remote_jobs.help.txt (0 bytes)
C:\e86a9d383afd90415e\pwrshplugin.dll (0 bytes)
C:\e86a9d383afd90415e\about_commonparameters.help.txt (0 bytes)
C:\e86a9d383afd90415e\about_methods.help.txt (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\e86a9d383afd90415e\spmsg.dll (0 bytes)
C:\e86a9d383afd90415e\pscustomsetuputil.exe (0 bytes)
C:\e86a9d383afd90415e\spuninst.exe (0 bytes)
C:\e86a9d383afd90415e\winrmprov.mof (0 bytes)
C:\e86a9d383afd90415e\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\e86a9d383afd90415e\microsoft.powershell.security.dll (0 bytes)

The process ngen.exe:2476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)

The process ngen.exe:2612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (468 bytes)

The process ngen.exe:2928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (486 bytes)

The process ngen.exe:2636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (826 bytes)

The process ngen.exe:3064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (784 bytes)

The process ngen.exe:3044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1428 bytes)

The process ngen.exe:2568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)

The process ngen.exe:2540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)

The process ngen.exe:2544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)

The process ngen.exe:2560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)

The process ngen.exe:3020 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1184 bytes)

The process ngen.exe:3088 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1106 bytes)

The process ngen.exe:2508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)

The process ngen.exe:2500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)

The process ngen.exe:2604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1140 bytes)

The process ngen.exe:2624 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (800 bytes)

The process ngen.exe:2628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (474 bytes)

The process ngen.exe:3072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (746 bytes)

The process ngen.exe:2552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)

The process ngen.exe:2576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)

The process ngen.exe:2492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)

The process ngen.exe:2412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)

The process ngen.exe:2516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)

The process update.exe:2112 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\SETBF.tmp (42 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%WinDir%\msmqinst.log (5468 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5305 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (2400 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%WinDir%\SECD0.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1579 bytes)
%WinDir%\inf\oem11.PNF (9992 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%WinDir%\iis6.log (138780 bytes)
%WinDir%\comsetup.log (48646 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (244906 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%WinDir%\ntdtcsetup.log (22997 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%WinDir%\inf\oem11.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)

The Trojan deletes the following file(s):

%System%\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET32.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (0 bytes)
%System%\SET7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\SET6.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\wbem\SET4.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%System%\SET8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%WinDir%\SECD0.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%WinDir%\inf\oem11.PNF (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\SET5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%WinDir%\inf\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%WinDir%\Temp\UPD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%System%\wbem\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrm\0409\SET1D.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%WinDir%\inf\oem11.inf (0 bytes)
%System%\SET10.tmp (0 bytes)
%WinDir%\inf\SET19.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\winrm\0409\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%WinDir%\Help\SETC5.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)

The process PSCustomSetupUtil.exe:3824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\QHMRW27C\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)

The process PSCustomSetupUtil.exe:2716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\E5AFKOTX\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)

The process PSCustomSetupUtil.exe:3924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\A38DJOTY\Microsoft.PowerShell.Security.dll (2392 bytes)

The process PSCustomSetupUtil.exe:1168 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\A16BGLQV\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\RINSX27D\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:4044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\OFKPV05A\Microsoft.WSMan.Management.dll (9608 bytes)

The process PSCustomSetupUtil.exe:1420 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\JCHNSX27\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)

The process PSCustomSetupUtil.exe:2052 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\C27CINSX\Microsoft.WSMan.Management.resources.dll (13 bytes)

The process PSCustomSetupUtil.exe:2740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\B16BHMRW\Microsoft.PowerShell.Editor.dll (32824 bytes)

The process PSCustomSetupUtil.exe:3972 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\QIOTY39E\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)

The process PSCustomSetupUtil.exe:3892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\5X27CINS\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)

The process PSCustomSetupUtil.exe:2072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\D38DIOTY\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)

The process PSCustomSetupUtil.exe:2872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\C28DINTY\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)

The process PSCustomSetupUtil.exe:2816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\H7CHNSX2\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)

The process PSCustomSetupUtil.exe:3748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\QINSX16A\System.Management.Automation.dll (81046 bytes)

The process PSCustomSetupUtil.exe:304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\LBGLQV05\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\J9FKPUZ5\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)

The process PSCustomSetupUtil.exe:1596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\A06BGLQV\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\SJOTY39E\Microsoft.WSMan.Runtime.dll (7 bytes)

The process PSCustomSetupUtil.exe:4072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\7Z49FKPU\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)

The process PSCustomSetupUtil.exe:472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\ZRW17CHM\System.Management.Automation.resources.dll (9320 bytes)

The process PSCustomSetupUtil.exe:2000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\905AFLQV\Microsoft.PowerShell.Security.resources.dll (9 bytes)

The process PSCustomSetupUtil.exe:3848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\SJOTY38E\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)

The process PSSetupNativeUtils.exe:3368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)

The process mscorsvw.exe:3948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)

The process mscorsvw.exe:3492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index62.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp (0 bytes)

The process mscorsvw.exe:2460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)

The process mscorsvw.exe:2348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5d.dat (0 bytes)

The process mscorsvw.exe:3180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index61.dat (0 bytes)

The process mscorsvw.exe:2684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5e.dat (0 bytes)

The process mscorsvw.exe:424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp (0 bytes)

The process mscorsvw.exe:3764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index59.dat (0 bytes)

The process mscorsvw.exe:2932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5f.dat (0 bytes)

The process mscorsvw.exe:3528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index63.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp (0 bytes)

The process mscorsvw.exe:3560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)

The process mscorsvw.exe:3080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index60.dat (0 bytes)

The process mscorsvw.exe:2100 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp (0 bytes)

Registry activity

The process mofcomp.exe:3692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 6D 09 A8 FE 7C 9B D3 B3 7D FD 7A 18 9D E5 03"

The process %original file name%.exe:1004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF C5 40 92 BC 12 C9 A3 0F F9 0E 00 29 E5 6C 1E"

The process WindowsXP-KB968930-x86-ENG.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 AC 3B 8E 41 2E C8 3E 9D C9 A0 B3 51 C8 7C 75"

The process ngen.exe:2476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 70 E7 94 54 F5 EF ED 0D 93 50 56 27 BC 7B 77"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:2612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 71 62 84 B2 1A 32 F6 A2 65 4E 35 BE 13 F2 8B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:2928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 63 D8 E6 DA DD 92 DF 46 E4 8B 77 91 88 61 AF"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:2636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE F6 B9 3F 19 B2 6F 79 A7 91 A5 0F 03 5C 63 5E"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:3064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 D3 4E BD 10 8A EF 73 1D 83 78 B3 93 C4 49 DD"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 2C A9 77 CD CF 9A 08 43 57 E9 D1 F5 E5 C9 9C"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:2568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 18 25 EF D5 10 67 99 4B 37 C7 CD A7 62 CA C9"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:2540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 18 9E 3D 98 D8 36 55 DA 7B D3 22 52 C7 B8 53"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:2544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 AE C1 34 D4 47 38 63 08 FF 7D AD DB 26 3C C6"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

The process ngen.exe:2560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB AC E5 E3 00 36 34 CA E5 20 D5 B8 FA CC D8 8E"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 3C 88 8C 92 84 47 1B 9D E5 5A 45 F1 33 1B 8B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:3088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 46 6F 9D 1C EF 4F 71 7A 39 8E 9F 8A 9E A3 34"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:2508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 5A C2 59 3E E7 E7 C8 0B 7C 23 CF 7B 85 49 DC"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:2500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 5A FA 00 23 59 5F E7 C2 B1 E0 A5 D3 03 F0 8B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

The process ngen.exe:2604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 E0 8F 85 FE 03 C3 F7 77 0B 71 BC C4 96 7A A7"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:2624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 7D 47 68 2E F7 A6 DD F2 18 9A 93 5B 84 6A 2F"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:2628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 6B 3A 45 AC 71 7D 32 D9 EE E2 5D 5B 0A 8B 53"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 61 D4 E2 1D CA 8C 1A 14 96 D5 DD CE 8B 13 1E"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:2552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 79 52 3B D9 17 24 C3 97 B4 E3 A8 8E EA 16 B2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:2576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D C2 47 8A 94 D2 93 15 43 D7 EC 87 EE 65 BA 05"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:2492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 D9 24 5E 91 1A 69 29 5A 3A 21 78 01 E0 38 1C"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:2412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D C5 EF 7B 2E 60 0E 2F AD 77 34 EA D2 18 46 DF"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:2516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 77 83 A7 08 B8 A0 AE FB BF 34 64 14 07 E5 48"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process update.exe:2112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"

[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"

[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"

[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"

[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"

[HKCR\.ps1xml]
"PerceivedType" = "Text"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\840:b1008\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"

[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"

[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"

[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\840:b1008\iis]
"PathIISHelp" = "%WinDir%\Help\iishelp"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem11.inf" = "1"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"

[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"

[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "7/21/2015"
"ReleaseType" = "Software Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 7F 0E BE 37 20 10 87 1D AF EC 8E FB FE BB 4E"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\840:b1008\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"

[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"

[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\840:b1008\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"

[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\.psc1]
"Content Type" = "application/PowerShell"

[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem11.PNF" = "1"

[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"

[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"

[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20150721"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"

[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\840:b1008\iis]
"UpgradeType" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"

[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\840:b1008\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\840:b1008\iis]
"PathInetsrv" = "%System%\inetsrv"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\840:b1008\iis]
"PathIISSamples" = "C:\Inetpub\iissamples"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"

[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\840:b1008\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"

[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"

[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\840:b1008]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\840:b1008\iis]

The process PSCustomSetupUtil.exe:3824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 94 8F DE 71 72 59 75 3C BE D7 8C 2A C4 F5 92"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "02 5F 17 63 10 C4 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"

The process PSCustomSetupUtil.exe:2716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 11 72 BB DB DA 66 91 1C BD 92 26 77 33 88 F3"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "AC 78 EC 6A 10 C4 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"

The process PSCustomSetupUtil.exe:3924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 27 B3 73 D3 49 D8 BA 51 6D 08 94 7F 86 50 E8"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "98 CB E6 63 10 C4 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"

The process PSCustomSetupUtil.exe:1168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B FB AC A1 1A 04 42 B2 DD 88 83 55 89 BB C2 7F"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "64 CA AB 65 10 C4 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"

The process PSCustomSetupUtil.exe:2892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 50 29 A4 58 96 30 78 18 E1 DA 08 D4 7A 96 FD"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "1A A7 FE 6B 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"

The process PSCustomSetupUtil.exe:4044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 E1 FA 13 D5 49 2D 15 1C D0 CF E4 92 98 75 EF"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "C6 AE AC 64 10 C4 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"

The process PSCustomSetupUtil.exe:1420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC D0 06 D3 BE 24 09 9B 3F 24 E6 E6 1D 8C 4B 2F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "9A 5C A1 66 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"

The process PSCustomSetupUtil.exe:2052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 C4 CF 95 81 2B DC 3B D9 6A 30 4C 92 3D 5C 70"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "FC 6D D3 66 10 C4 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"

The process PSCustomSetupUtil.exe:2740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 A2 16 88 56 44 CF 74 B9 AF 8E F6 E0 9E 92 D6"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "76 13 28 6B 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"

The process PSCustomSetupUtil.exe:3972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 AC F9 09 B3 8B DA 33 3E 29 D8 7E B4 15 9E 2C"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "24 52 2E 64 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"

The process PSCustomSetupUtil.exe:3892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 D5 79 9F 72 C3 91 AB B6 8A DF 48 56 A7 F3 DC"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "C0 09 A4 63 10 C4 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"

The process PSCustomSetupUtil.exe:2072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 4F 77 8E 19 D1 D6 69 A6 F0 F3 FD F0 D7 CD 54"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "AA BA 00 67 10 C4 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"

The process PSCustomSetupUtil.exe:2668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 7D BF 0B 0B AD 06 59 DA E6 1A C9 B9 33 87 24"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 2B EF D2 E2 11 B4 0C AB 8F 98 EA 0C 16 92 90"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 7A 20 48 26 B9 14 F0 BE DF 76 93 CB F3 17 CA"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "12 F8 CE 6B 10 C4 D0 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"

The process PSCustomSetupUtil.exe:2816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 9E 8D 3D F8 DD AC A9 EF 76 62 AE 55 4C 7D 42"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "56 84 9A 6B 10 C4 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"

The process PSCustomSetupUtil.exe:2708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 2A B6 56 8C 63 3C 35 52 49 7D 07 95 8A 8E 07"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:3748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 10 8D 2E 26 46 01 0B 8C C5 D8 F8 87 8F 75 3E"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "C2 13 CB 62 10 C4 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"

The process PSCustomSetupUtil.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 09 D5 2E CA 05 E9 BA 57 6F 9C 9E 01 FC F2 1B"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "9A 2F 70 65 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"

The process PSCustomSetupUtil.exe:2764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 97 6A EA 8B 99 62 32 FF 47 80 1F C1 75 25 72"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "E6 4B 61 6B 10 C4 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"

The process PSCustomSetupUtil.exe:1596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 F8 8E F7 CB 20 28 89 B9 0C DD 82 87 B2 36 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "12 17 D9 65 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"

The process PSCustomSetupUtil.exe:3996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 A9 67 04 58 2B 58 67 13 DB 2D 9F 6D C0 91 D1"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "48 4F 6C 64 10 C4 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"

The process PSCustomSetupUtil.exe:4072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 55 1D BB 11 62 CF A8 6B 8A 11 D9 2A D0 EF 15"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "90 49 E8 64 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"

The process PSCustomSetupUtil.exe:472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 97 7D F3 AD 44 4D F6 30 1F 22 06 B0 B9 AA 8D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "D0 94 34 65 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"

The process PSCustomSetupUtil.exe:2000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 CA E3 AB CF 7A F3 CB 3F C7 38 D6 E3 59 1F 9A"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "44 3B 1E 66 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"

The process PSCustomSetupUtil.exe:3848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 0E 24 7B D1 83 02 CC DC 42 F1 D0 D9 34 D8 BE"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "34 83 5C 63 10 C4 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"

The process PSSetupNativeUtils.exe:3368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 95 D1 B8 22 40 89 18 DF F1 7C 34 9E 79 9C 39"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process mscorsvw.exe:3948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA CD 96 9C 95 13 FB 66 93 73 8D 96 82 C6 AA FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "34 83 5C 63 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]

The process mscorsvw.exe:3492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 D5 0F 5B 17 F0 08 55 CC 83 DD 06 6F 1E DF 7F"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ILDependencies" = "44 18 F2 39 EC CB 26 0B 6F 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "100"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigString" = "ZAP--0000-0000"
"MVID" = "9D 8E 8F 7B 7A E9 50 D8 65 44 54 05 97 83 7B 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
"Status" = "0"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]

The process mscorsvw.exe:3828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 47 2F 82 60 E7 73 1E 25 58 3F 0B C4 39 AF 76"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3048 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 6E 0F F1 A1 8E 62 5B FC 2F 20 77 10 5A 18 B8"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 35 39 E3 26 9A D9 24 89 4B E2 CF 87 D8 09 6F"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EC 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 E6 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F2 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F0 00 00 00 53 00 79"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 6E 2D FB 71 A9 C4 35 30 43 91 29 B5 CE 8D 85"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
"ImageList" = "01 00 00 00 00 02 00 00 00 FC 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

The process mscorsvw.exe:3552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 4B 20 45 0A 5F BA 3A FE 7A 31 69 3B 89 CA B9"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3120 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE EA A7 57 7A BA 2B 02 C9 AC F8 26 C0 2B 86 30"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\51be0150\645507bd\5d\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigMask" = "4361"
"MVID" = "72 A5 E7 88 C4 07 6B 67 EC 68 97 DA DB 9C 00 B6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 51 D4 CD F4 F1 E7 47 65 4A 66 80 6C 18 0D 3E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"LastModTime" = "76 13 28 6B 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"SIG" = "EC 74 C4 48 ED 80 64 4D BD A4 D7 78 32 8C 96 D8"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "95"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]

The process mscorsvw.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 4D 61 DC D7 EA 35 8F C4 6C 50 79 BB 1B F5 EF"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"SIG" = "65 39 A0 50 E9 4F 14 4B 85 A8 07 D9 00 B9 C9 79"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"LastModTime" = "48 4F 6C 64 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"MVID" = "B1 10 6C EC A9 F5 C8 9E A5 7E 9E CD 46 C7 CF 57"
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 AF 5F 68 C6 CD 89 77 28 86 B3 3C D7 8F 8A C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "99"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"LastModTime" = "C6 AE AC 64 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"SIG" = "EC D0 CD 16 68 09 9B 47 85 11 78 36 0F BB 3D 11"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]

The process mscorsvw.exe:2660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E C7 10 15 EE 9A 76 B8 6A 67 7E FE F0 D4 2F D6"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"SIG" = "B7 6F 43 3B 5E 11 DE 4E B3 DF 75 E5 9F 64 67 8F"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"LastModTime" = "E6 4B 61 6B 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 9B FD 2E F5 00 46 49 9D DE 55 FF 4A A3 01 AA"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"MVID" = "BE 89 7C E6 CB 7D 25 17 02 86 EA BC EA E9 F4 1E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "96"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]

The process mscorsvw.exe:424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "C0 09 A4 63 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C F5 1B 05 1D 0B 1E E6 28 7B 08 C8 6D 55 42 3A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]

The process mscorsvw.exe:3764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "24 52 2E 64 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 31 B9 AB 0E 3A 3E 2B 2D 3A D7 66 50 8F 25 C6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index59]

The process mscorsvw.exe:184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 4F 65 E9 2C 28 C0 EA F5 AF 66 4B 27 2F E5 B0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The process mscorsvw.exe:2932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"MVID" = "EA F7 7E C3 AE 2E A1 73 83 BF A6 FB A9 3D 37 37"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 43 33 11 F9 0B EC F4 14 FE E3 5B 47 69 89 CB"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "97"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"SIG" = "7B 5D F0 E6 43 C6 6F 48 85 FF C5 61 E9 E4 D2 1B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"LastModTime" = "AC 78 EC 6A 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]

The process mscorsvw.exe:2836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 2B F8 34 79 F8 AC 41 53 FF C0 3F 5E 11 03 88"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigMask" = "4361"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"MVID" = "E2 17 82 39 6B BC 18 53 A8 67 A6 33 0D FD 66 7B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\afa163\1f\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ILDependencies" = "57 8D AB 19 D0 02 1A 29 07 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 63 0A C7 32 6B 85 72 91 D1 22 0C 7C 8C 5F 37"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "101"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]

The process mscorsvw.exe:3560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "90 49 E8 64 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "C2 13 CB 62 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 6B 11 44 D3 30 EE 9D 27 8D 13 7C B4 39 F7 82"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]

The process mscorsvw.exe:3396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 AA 65 1E 74 8A EE 24 1A 71 0F 21 AA 94 03 0F"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"LastModTime" = "98 CB E6 63 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"MVID" = "AB 6E A2 EF 90 77 0C 78 07 DB 52 DB 59 B5 A1 32"
"Status" = "0"
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2995e574\9\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 E4 EE 50 F1 4F 4E 77 45 F4 50 EA 56 FA 17 A3"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "98"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"SIG" = "07 95 68 2E 6D 23 41 45 81 DB 7F 93 51 3C 97 66"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]

The process mscorsvw.exe:2020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 5B 02 E9 91 62 67 33 07 5B D3 9E 2D 52 57 E8"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 3E 62 A0 ED 0B 3D F0 16 8E D2 B9 5A 2A D5 26"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 BB 24 3D 7C C1 00 AF 69 F5 9B A3 F4 CA 92 11"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "02 5F 17 63 10 C4 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]

The process wsmanhttpconfig.exe:3664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 7D 37 8B 8F AF 59 62 60 C8 1B 15 C5 85 BB 96"

The process wsmanhttpconfig.exe:3576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 F4 02 CF A7 1C DA A4 67 23 34 04 29 FB 8D 8E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "339E6154-CD41-4318-A8C0-6D1F4E737D39"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""

Dropped PE files

MD5 File path
9859a26d5e72bbb0685af813b409d99d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
fc9a05096522bb6d7ceda62ea1707420 c:\WINDOWS\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe
35efd8cd6549a4339cb2a28c8cfd6598 c:\WINDOWS\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe
a39df582ca051afc8811fbd00db12f10 c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe
9a055da2f2819f155c33d47cd67a7c00 c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll
75c183e262bd4400eb0f20349f6ef383 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll
2f7fe3a781ba8c0a67c775f20e3e9f70 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll
4e2482e69baaf3a5b13db8101c063ebf c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll
08e87e8abf7b41b28663dce817ce0ab6 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll
b87e087fc013225e2aa1cb60c080647d c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll
f3ac3f844f90380aab2b4c0836c4288f c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll
1ce73fb3f88c716cfc3fd550547d2b35 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll
dfeb401cc051e5da721c584ff6a90f88 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
36ff641f37918f2cca98e7f407ac4d75 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
3991b7fa452a9c9c291c06365a236792 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll
37bed865557084dd9988350ab1675e0b c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Editor.resources.dll
208fa9d0ebe2ceb9616042772e96598e c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Editor.dll
108500a98b9a2f66823e7615398fc87b c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.resources.dll
d4eefccdc3de6ced901535fa4153c491 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll
5a69fb5d686f863e0e13268d671ef16d c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.resources.dll
3eab4dbdc290edc4d53fe77f1fdb9e59 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.dll
c7a0d1321a67a2afd330c5fbe79befd1 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll
53a9d748ef09920a0d06da2583c298ad c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
6372ea7d2aced7185183cf3fcdd3577b c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll
1a4e900c2fe3cd31d10107670d184fe6 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll
f7da27672d2e4c21a1f996ee31de0dbf c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
2286b57ecc2d32d24049c51989084268 c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en_31bf3856ad364e35\System.Management.Automation.resources.dll
4d8ab4fad244f7985d8c59d456e026d7 c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
930cdc3163f4d4a6bd52f96896e9fa44 c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Backgroun#\fd3edcdfa9ce60abac35208146184495\Microsoft.BackgroundIntelligentTransfer.Management.ni.dll
e27a37cfbcff4c9941e73c9a3e762d0c c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\13fc3daef585098f11911f8f72ac1cea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
8afa150131c5cba4b312493db94d30fb c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\72a5e788c4076b67ec6897dadb9c00b6\Microsoft.PowerShell.Editor.ni.dll
8984e670f9760c504c5fca8370ad99d3 c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\93926797486d4f7a9b69c5875ff3fc30\Microsoft.PowerShell.Commands.Utility.ni.dll
fecd06a285a93f004a1a4a1a629f55b7 c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\ab6ea2ef90770c7807db52db59b5a132\Microsoft.PowerShell.Security.ni.dll
41980649706941d2ff841871435068b5 c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\be897ce6cb7d25170286eabceae9f41e\Microsoft.PowerShell.GPowerShell.ni.dll
fe8b145b025e02fb4e23381a2e189d0a c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\dc19f50c5e84e7223433cc709e7eb43f\Microsoft.PowerShell.ConsoleHost.ni.dll
1915d832be5b46ff2a888a9a6689e281 c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\eaf77ec3ae2ea17383bfa6fba93d3737\Microsoft.PowerShell.GraphicalHost.ni.dll
6756eea89ecbaa301b79e4d01f381cd1 c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f007ee1bf548ba761ba616f4c35b158e\Microsoft.PowerShell.Commands.Management.ni.dll
aae309ef03acc9d2e5c3546abcabedec c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\b1106ceca9f5c89ea57e9ecd46c7cf57\Microsoft.WSMan.Management.ni.dll
b582a633fcce28c0fc795810d4ca48f9 c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\9d8e8f7b7ae950d86544540597837b01\Microsoft.WSMan.Runtime.ni.dll
85d7ab466d0577c49fc9879107ec7ef5 c:\WINDOWS\system32\WindowsPowerShell\v1.0\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll
173d3dd1425a8e33fa1d4ed71067a3a2 c:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\microsoft.backgroundintelligenttransfer.management.interop.dll
df4217ddb34a0b73dc7aac7829371c0c c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
fe7bc06af17d7cd8fb8e6d72d72453b8 c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui
36b6f71b6d7d280302b348145db05a9f c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe
cb3a534127f37d0fa1f556dbb76575d3 c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.resources.dll
95b7f12a557dedac5e4a1e9afa5e73ab c:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll
a94243b797377ba03b63fc716c13bcf5 c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
7943a80f1a6fd37969aacd411b511f91 c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll
2c9c9ae86eb2b4e78c8e09deb7509a63 c:\WINDOWS\system32\WsmAuto.dll
67146d3606be1111a39f0fd61f47e9b6 c:\WINDOWS\system32\WsmRes.dll
18f347402da544a780949b8fdf83351b c:\WINDOWS\system32\WsmSvc.dll
296e6992278fea7140d88b603e6c2a8a c:\WINDOWS\system32\WsmWmiPl.dll
8c386819bf5b39d7a4b274d0b55f87a5 c:\WINDOWS\system32\pwrshplugin.dll
84e025b1259c66315f4d45a6caecacc9 c:\WINDOWS\system32\wevtfwd.dll
cd17705af8e53a82facb545a213ab09c c:\WINDOWS\system32\winrmprov.dll
afdf7654880ce23005014895b129d948 c:\WINDOWS\system32\winrs.exe
3e9b11880ae4a8ff399ce0573c82655b c:\WINDOWS\system32\winrscmd.dll
62021e3e6ba13d72cf5cc1047cfac991 c:\WINDOWS\system32\winrshost.exe
b84092e52861a026fc83bcede4a7abfa c:\WINDOWS\system32\winrsmgr.dll
35bc7c49676e5ab617ef94dc9854a6f1 c:\WINDOWS\system32\winrssrv.dll
972916faac89c4aa978952b30f478e81 c:\WINDOWS\system32\wsmanhttpconfig.exe
23ce21efc2ae95700f2b1f9582fe3867 c:\WINDOWS\system32\wsmplpxy.dll
faa2fcc6853e5123e05dccc5919657e2 c:\WINDOWS\system32\wsmprovhost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 399505 399872 5.22488 8f2a4b383227b9975c4b359f58266320
.rdata 405504 55359 55808 3.21298 7c98131a27958b4b1ae9eeaeb9d732fa
.data 462848 16036 6656 2.71133 04ac22f542409ec78a58eb8824e79d9a
.rsrc 479232 82052 82432 4.11208 44b87275f70cba62ac04a786b54d9cc0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://microsoft.com/ 134.170.185.46
hxxp://e10088.dspb.akamaiedge.net/
hxxp://e10088.dspb.akamaiedge.net/uk-ua/
hxxp://a767.dscms.akamai.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe
hxxp://121.42.143.53/
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe 23.15.4.16
hxxp://www.microsoft.com/uk-ua/
hxxp://www.microsoft.com/


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 121.42.143.53
Content-Length: 368
Cache-Control: no-cache

eDkVgJJpA9Gk Rs rnZkJVqWVkrtlmRVO3OizE1 wyBgOAhgEE0LGdUx0XcBzY 6xiwqnihNXeQ17fhzfNAPIv u5/oBDh vVtBaWErr3PmMw6P77ll0E2 J5DFwk04iqg9A74PUBvH6uty4pJmJ0CsBgOobaFxWOdinRnzmk t8iiZbhfaRwqQFaE5zaAbuK30yhujqusACaOX/fWNRXUQGWHwUNNOHh4CwJk/RZSKKTfOL7bu1frQGgIhCm9lOfTcTvuILDWtR8kPE41JGC6X6ao5O9PMrCwxAH36c2MoxwYV5jI3pogB9FH5kVEardGwpMKl/3GiEX0fw7gyOJoTJKDd3BAzYjhnxCAgu7sau7A==
HTTP/1.1 404 Not Found
Server: nginx/1.2.9
Date: Tue, 21 Jul 2015 23:52:03 GMT
Content-Type: text/html
Content-Length: 570
Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.2.
9</center>..</body>..</html>..<!-- a padding to d
isable MSIE and Chrome friendly error page -->..<!-- a padding t
o disable MSIE and Chrome friendly error page -->..<!-- a paddin
g to disable MSIE and Chrome friendly error page -->..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..<!-- a 
padding to disable MSIE and Chrome friendly error page -->..<!--
 a padding to disable MSIE and Chrome friendly error page -->..nt>....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 121.42.143.53
Content-Length: 388
Cache-Control: no-cache

c2wQip5pWBm2AslmsWMFZY6z7UhQsouPDnVfKt5mCqI4Eg7ggvq0E5d5RFNRSosCmPlSKKdiYN6H08HuR1mRCyKrzMI3YFGz2mDNcuW80H1Ay6Mo2Em/aMIamdMqPoo17BlOUG4rGubqIKXMPN1u0mLklpXyyDWv9m3ImjUyNv6azp3zKb6wDEm3RWzgA6GE2/oL91VUtWneectTuE1kNZgLdLaCCTz5goIe5IrvD2Ems8pwheMFRQAedLeAYXmyx77lIbGh6aHxNhnMueSnYwxQY6Nii7jHlRPoMgTlXrHbSHgeQg9lzbfCq48sU5U6S6gwaJ7w5JxIpCojYywA6uQn8RsjPhuBb8BV0B B8/FhSiryDbF3w99EaqUWmEJkag==
HTTP/1.1 404 Not Found
Server: nginx/1.2.9
Date: Tue, 21 Jul 2015 23:52:49 GMT
Content-Type: text/html
Content-Length: 570
Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.2.
9</center>..</body>..</html>..<!-- a padding to d
isable MSIE and Chrome friendly error page -->..<!-- a padding t
o disable MSIE and Chrome friendly error page -->..<!-- a paddin
g to disable MSIE and Chrome friendly error page -->..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..<!-- a 
padding to disable MSIE and Chrome friendly error page -->..<!--
 a padding to disable MSIE and Chrome friendly error page -->..nt>....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 121.42.143.53
Content-Length: 388
Cache-Control: no-cache

cTFDisA6AIpwyMIk6UsOw5PMYngM kFQfn9MhynuVn5FJkbautbKZuqszojBq7WTbnJLnXrSi6RpcHDHpMgRi8hbYUUOQ9yoDKEgz5zcLKSTJlpb6stxoJsrrdJ7zMCTwaoMJQG54pxe3TyxmoWE0WNK0aQGV8A7C3K8OkN3/HLQnUlsi1ZzO2dDZmbQ0XU3E7JoNpfhGNJvvwv3qsS2hoREjSJAOOsIHra/UoaLql91eXEJUeDK3WkGxjyo2b4qFuZR6paUIGWBXwpkrJYWFNO3gJFpAbLsvh8869j8//cNffjhXDWnr0KiYJr14E8kuSlPdtNXg Dkp6ubQPc3v7Zb1jYT/5n2R6abI1QaYvwjEKhy/xLf29xAvnv CZtOPrs=
HTTP/1.1 404 Not Found
Server: nginx/1.2.9
Date: Tue, 21 Jul 2015 23:53:34 GMT
Content-Type: text/html
Content-Length: 570
Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.2.
9</center>..</body>..</html>..<!-- a padding to d
isable MSIE and Chrome friendly error page -->..<!-- a padding t
o disable MSIE and Chrome friendly error page -->..<!-- a paddin
g to disable MSIE and Chrome friendly error page -->..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..<!-- a 
padding to disable MSIE and Chrome friendly error page -->..<!--
 a padding to disable MSIE and Chrome friendly error page -->....



GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.microsoft.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1


HTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: hXXp://VVV.microsoft.com/uk-ua/
Date: Tue, 21 Jul 2015 23:51:32 GMT
Connection: keep-alive
X-CCC: CA
X-CID: 2
....


GET /uk-ua/ HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.microsoft.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Server: Microsoft-IIS/8.0
CorrelationVector: evqDfPQkrkOBzCa5.1.1
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: true
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Content-Length: 235803
Date: Tue, 21 Jul 2015 23:51:33 GMT
Connection: keep-alive
Set-Cookie: MS-CV=evqDfPQkrkOBzCa5.1; domain=.microsoft.com; expires=Wed, 22-Jul-2015 23:51:33 GMT; path=/
X-CCC: CA
X-CID: 2
...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsof
t.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lan
g="uk" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta ht
tp-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="ut
f-8" /><meta name="viewport" content="width=device-width, initia
l-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.c
om/favicon.ico?v2" /><script type="text/javascript" src="hXXp://
ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js"> ..           /
/ Third party scripts and code linked to or referenced from this websi
te are licensed to you by the parties that own such code, not by Micro
soft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibra
ry/CDN.ashx...       </script><script type="text/javascript" 
language="javascript">/*<![CDATA[*/if($(document).bind("mobilein
it",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.ma
tch(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("st
yle");msViewportStyle.appendChild(document.createTextNode("@-ms-viewpo
rt{width:auto!important}")),document.getElementsByTagName("head")[0].a
ppendChild(msViewportStyle)}/*]]>*/</script><script type="
text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3
.2/jquery.mobile-1.3.2.min.js"></script><script type="text
/javascript" src="hXXp://i.s-microsoft.com/library/svy/broker.js">&
lt;/script><title>Microsoft..... ................ .......
<<< skipped >>>


GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.microsoft.com
Cache-Control: no-cache
Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1; MS-CV=evqDfPQkrkOBzCa5.1


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT
Accept-Ranges: bytes
ETag: "6d3979883b49ca1:0"
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Content-Length: 6156064
Date: Tue, 21 Jul 2015 23:51:36 GMT
Connection: close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#pA.B...B..
[email protected]............
..............PE..L....jkG.............................c... ..........
. ................................^.......... ........................
..............x.............]. ........... "..........................
.....&..@............ ...............................text........ ....
.................. ..`[email protected]...
x........H].................@..@......................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................l...V...:...".............
..................|...................................(...r...d...T...
....*...........P...j...................<...................\......
.................................>...L...^...n.....................
......................2...L.......h...p...............................
........(...>...L...`...v...................................N...>
;...,...................d.............................................
..............z...,...<...J...\...|.......N...Z...d...n...@....
<<< skipped >>>


GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: microsoft.com
Cache-Control: no-cache
Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1


HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.microsoft.com/
Server: Microsoft-IIS/8.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Tue, 21 Jul 2015 23:51:32 GMT
Connection: close
Content-Length: 148
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://VVV.microsoft.com/">here</a></body>..



6...xiB..9WFL..%.;(....v!.s.I....a).N.7........?..........




<html>..<head><title>400 Bad Request</title>&l
t;/head>..<body bgcolor="white">..<center><h1>400
 Bad Request</h1></center>..<hr><center>nginx/
1.2.9</center>..</body>..</html>..



[email protected]'..:........;U9.P..L.1....s
...g....f6.....lz-..l......<Q..V...i."..3...x.............&.0....Q.
.$-....q.YqS..{E.)R.CC<..*..2...k...\..B..<3

HTTP/1.1 400 Bad Request


Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 21 Jul 2015 23:52:27 GMT
Connection: close
Content-Length: 326
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""hXXp://VVV.w3.org
/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>Bad Re
quest</TITLE>..<META HTTP-EQUIV="Content-Type" Content="text/
html; charset=us-ascii"></HEAD>..<BODY><h2>Bad Re
quest - Invalid Verb</h2>..<hr><p>HTTP Error 400. Th
e request verb is invalid.</p>..</BODY></HTML>....

The Trojan connects to the servers at the folowing location(s):

svchost.exe_1356:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
wininet.dll
user32.dll
ntdll.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
winmm.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
?"?&?*?.?
6!6&696>6|6
9!:':-:6:
:&;-;7;_;
5(6-6;6|6
7)7=7[7}7
>#>(>9>_>
?,?1?[?`?
5]5S5c5k5q5
:!:?:]:{:
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh  1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh  1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
c:\%original file name%.exe path<<c:\%original file name%.exe>>path inj_ffile<<:2:>>inj_ffile

svchost.exe_1356_rwx_00080000_000BE000:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
wininet.dll
user32.dll
ntdll.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
winmm.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
?"?&?*?.?
6!6&696>6|6
9!:':-:6:
:&;-;7;_;
5(6-6;6|6
7)7=7[7}7
>#>(>9>_>
?,?1?[?`?
5]5S5c5k5q5
:!:?:]:{:
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh  1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh  1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
c:\%original file name%.exe path<<c:\%original file name%.exe>>path inj_ffile<<:2:>>inj_ffile

svchost.exe_1356_rwx_01000000_00006000:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_1288:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
wininet.dll
user32.dll
ntdll.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
winmm.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
?"?&?*?.?
6!6&696>6|6
9!:':-:6:
:&;-;7;_;
5(6-6;6|6
7)7=7[7}7
>#>(>9>_>
?,?1?[?`?
5]5S5c5k5q5
:!:?:]:{:
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh  1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh  1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation

svchost.exe_1288_rwx_00080000_000BE000:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
wininet.dll
user32.dll
ntdll.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
winmm.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
?"?&?*?.?
6!6&696>6|6
9!:':-:6:
:&;-;7;_;
5(6-6;6|6
7)7=7[7}7
>#>(>9>_>
?,?1?[?`?
5]5S5c5k5q5
:!:?:]:{:
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh  1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
CCn7A5XU4CzHzqO2FLGKUbyHdY6ib4THrj6hFnsNC91Ppav9uwgbOdS5yiEmzFlfEH5q9BrghvkQ6h6yHnRIruDtXd0PDynXRapk stnOg8 lhBkVQtwqvwdx0YKwOYYMsiPSZ4ZkbJaN4jiHpyXxikeLdivpDPd3kWJRmdyiGNBGHR7k6brC0v2K6Y3bIHi9fPpJIlvoGzlKyqWKZbgyvMKhfRH126QPM9 L6lCgK7m kyrVJiXkjtcP5z8SS p1bK16PrKxlNudveDjR9IlqhNqTiNr78QXP75MTIzVeZrz7Tcfof3QNj6U8Gv/JIeibNpOmlNns8ti9RIhh5ZLKoegOBmlmtQM0rniYADF47h6Lj6dLteD9vdSqZJsQHIGvIuA7947pmnUaqpcjKY3LYgVF2x9RvnVSrLQy8Msk7qqSbG2 18wzMzkSRmcDGU4kVcMMLftEmJ4bIHoF2FAPgyGgCSkTVbqrdTGlgcsvH0t4XSpP7tIh8jClm75Ou3CQTpLfFzMKnc6mJjLxthWVUze9iMkM2lodm24a72Q1ASzBLcyyVm6x6p wLyuJ8qma8MBknHVMisVT7MVknJ3vZbF9aZPJFzAhcUG/Upzx5isNAuTL4hmXOtkhI4FBxi1Cr61qDUiy5RWmbWg/8TMwzig8QrKciaaO5bHzpmKpQRuFszWr6F2QvRC0xGO2xRrXXZTn49ttSc8nqBKCUSN6laRQzaqlvIrCdoco77cJleen7p24ksvps1/5wvQdV5p73LSkGnWh8GFNEdOXqf3TRAvapyq/MK6pb ZVfjUuInC7v/fEmNgxChvtF 890LhInkEqFRbS19fUQ73JqLlcJZ18pvOf B1mj934NofFTx9nwdpJn3HzNX6GtzFas2HnN7eYIWlMw3tSAkgiusQimrQVscKmqnJQaa0khTfdi5XiZXSmL7ACZazSHb7jCa5pBrfMwYFUZ Oe9X2VZ6dhPqOx2PyPLSlbCoRrnbVdgQc9kdsRb7WM48D1x9vGYOWbUIoaJ2NbT3tOBeqcE/na9gY4KSEUEvJMG50HRf7PsjDOG07bHSTMWDWFJVWnBzRw0gxGugVSXb4cCgMsdK2Iy9YStviYLxSJNWOxr2nqr8FNfrm06XldaCdxzl91l8dtI5KijeweUIMAc 0LmyfOCkcxKlzf2gY6nXrBF4fg6MfU ynlZ5fJTtDsKdae7ft4SvOcILp7yrtsvMaBFDhz/kpidQxUDWKTfEsAhZ7MhMg/R8u8obqeVxbgYyzFKdZphWp 3mH/TnHPBZ2bpK5RAJbyhG6mzXDdK6n5WZ/t1rHvZnkzur8Ous6C0l 6mfTNAJtodq3/Hb2IzSzr/6ZIosa9wKWNAQXUzxS5VWTm5c06VIslbl lyuVB lszHKcuTo/WnlyiEQnXsGi3J9 4H47Jrpn7bmi4RsezcNIla6/9NNp Epn 7O oCDCWVLPojN8GIGagtuSTGvIaxcxsOH8pqzLmgKPEreqCODspRsSJFIQnyvyslEnaaGmA/5d5W657R/7GHKCX8zjkAgoN1DMq635FP8oTdr3TDX hf1kQjE0rAYauyUMCvK7sISTcp0mNaVNlb41xJ34HMs9MsptRLJ/vG5CxUlphVr5/bN/ lRjw7G FQOZ3fsm7g9hEsKP0ZyGDAa2 /5 Pbtnv8v mC6IIuDvXfhBhabUQROZ4ivV/5UW8AsgAG8vFNkMo su96PU/1JKOUIzfoiKRRkHkCTi/C8SA7aS5nMPHBANimaCqFnwwbCYwrLOihSaspSnyNkNyY757bt/QjJqFmIlXivAZUArboo35ORbIPUs3A1Mg/HqNKgpip4qHE7/FU gePTIpH8EneENl5xDvbkU5blo0X7LtnsFYtEH2gfOvuuyH2EDvXRTSQlzd7pxvlAPEbHt5Bp9bNzydjcUxsDuHLwVhsIX9vKuSoOJsffrqB8/St36C6A9QwalMeyTKycOGU0L/luLgb3waTr/HBXnwTJ/0yFwe0N2KJ9w7 bApzfBHsD1KyxfZTkejTc/90A5o3sdGUb NFk1t03fmnrieYc1jflgmExl15IbG3l1yH dQjKe3EDQQtrtqKOqTCz4kxERSvvwxHZAkHdvbuEgyj83msbURUK9a6Hw/eBdF5bwkam7gjRVBVAMYtOEOWml2LUzIVd6ODW9lQQPyxPuYx9E6zhNdJ IQ39KC9fZmA xBjThjtzQoLqHJuPg5Jhn8pqjr5R IXLjpuI/haegOdKxRQ ZhcMwtfcPyprJx6fk1q4BtXXlfTcz5tv98emMEZNjO9zJYPxD9 OLzecjXvIUSABygCVvyxigsL10H48GLPOZDOeimJO 35B/ZiROLmnqAJbPSC3CjJtXa4bw3PIVvQu4v2ble00zg2mNcRqvshCttYLCwVva6pssj7LinNm6RQkUobMg1SxD8/Qp9l5ujarkGoJoSaU9IWMKb6wHF3M1fLhNHehrt68pQMgRZ9A/N/xcFtUyTsgKo3QcpX13BAm/BhDO7crmpT9hGjulfatrTEbg6DvYM3rxrVv9nxqwax4/jQEh4c8/YtCPS7AguqCjOnmRkU/Thhm7FwtCRhZMoI/rVhg61uCrT9sklJNI38nXVCn81Qb7jrhd0AJjGEbPCd4aeuQU2k84m8jAPNpKjfuIA8nCjRf9RckQS0Ux/MzxwVDm1ltMC4IVK7z/mVdAUpAHVo4aAF zL9Q3gRpzFUxP 9V VzgaKhmyV7fle 0IPiJ7KJjT bSVDWToc rZDrFPg0Gw65ApdlxA4zbgpYEIKi9Yuxx hb8l9kNoEEGmAgbKCU2GdqLvqN5iJfeR/ /gGmhsFRRu8DzIvBhlKnPU11fQOGqNWazlhsPOqBnIG8mgw3LLRhUBl /emKIMhIfverCwYNp9/zPEh9DgDxmyDvbFIEZ1i2WG1IMRnSw/cOd4C3vlN6oA8a/WCeg7kItTuzHOOJy7uXfETlBEp0OhGH LTh7FTwbz7/RpdmHgGCEPUzXsQJQDr3PuB20EB15oMwcttK1/HP zDTBpRbfVIeC1vCJFTN T82EyhcdH/C/UGMTfHXdVIaJKHESm7zjqRo2wO xFsoxz9hLTBffynGjseluWz2P5U1hdtnpUcd18qKerCsdi3yFV4ViNG4ZJCT2 c//SOKDQ3x9/eTzUt1sMdDV75zPpdQXgyJPlQM3qDOL/NQbS2gi7SSWj36Z3tldugH9N9QU6ngqRw ZJ8jMQbjUCISHdaAThG42agRZ3p8fw0I/41olFnPLJzgcr8IB0ef/VO00i4wFT9iYxdict93pZ0aHPMq/Nb TxwjaODg2Xq0zykwuDjBEr2s/yts4tOGdm9PPITBJMJuiV/umbAMv1WaUrwSAgZq/wfihwX9lv9DEBM3Dc8s3W1pyk4b8r73LczeM6XX9XnuKc7Vt8d31LDtotiPuH7HUuRmiF/1tNBHmzft1fa7RNb2sikTAi5tbl1gOQbzft/W3smSeLxZai8h9UOvtLXD81CWvTszrKH1v82hvwoRiTVb4SWRLnWtp0Kp8l97VytDNAo/YHJjSe/n0h0wUdUuMPQLhz2pgAd1ED3nq 1qqHm/ET01FrpAJJ4KHlc//9Mr4apao1SQG7Re4hhYhYsmFyEv8z tw4flwXQWw06mKFF05k8n0HqJ/e/O25czj8DpvaJuwkVS9z7POMb6cStGWhBnwZv9v4LkF3qpGnf9w1DldmV uQKIRQ643NBXqA0V9MrmhMryvcbPZzlQH/RjEVRjtWeAEEG9sgyh  1jIBv38jO2Z J2TpWRXCrGKygJNObmidxYPVBebfiTOjGmcuU x4WmiySt9VfaZ0EZySrBtzzfSY6O0yKrG9Sa9UPgmMwNwmIbP7Ln2pi9XKfJWVoJRx1TMKmy3AlbXqd/GTk4gvzX4Iv8tNlX8EXZT4QAJqwtNvwD2Imw5Ce5trufAUmkf8KGflS6SihrYMcbcE72OVpeabR9ihDZslQDaeyvirKLEPMlkhiOQjenGPs4oiKafxTSIFtRF0MFHZ0HmuNeXx2XCO58LxugBa5a/RJQWK9boEO K6MqXutZzfvexdbw8xMP8mmPb HMpHKv1ymTNZ CZets0ZctUQnil9gjqHl6P92L5YV6yVa5O0JAJVOZxgrwd6E//7LM6K5DljtpPiQLsCy8Ednj1vMSyl1LcD02KsVLokeRh7id4Zo/BRhnYPYJC7dagDwp/kxcYyyAujw3yiCjTuXBIqE4 wTmONRGVyvnX eeWri5BaShelRKWDHdUCG18zoNvgKqrDnDpkHldErz/z9b5lGACLF7afI4DJbHZcWle2xit4vkxoHZ2jbhkerZBSh373o8qkhX xgcG6ck25QmZZDlNAts3AARoMtMI8wFhcuDizk6SFIVZ fE5gsZzFqyaWND2K5i/PMHF4ph e8BO412QuhGSyeyyUKhM1IX3RTl71G9QJ9EUREasKaVoUsmQO3HpLyw4SeTXpi 18gDyxlkuOuMrYt1Dy8zBNm9f14yNhh1QJGj1mQhh7xl X1HuZz2aHRW12T4U37zK6jnhWuW9i FXF7qzHRUy0fk4PpHsKvkOb5m YjxcDoWncAOIqWX7ZdE09ECG7P4y4GSwdjPiOfdxT7yc5H/3dsZHWW9zO85a55zdzQ0bSaC 6hG7cPLwICJtUm2aJUxcNFHBiZ/zSOEWh5YogOKBemH870e19pWZxFoQ0y2IgH/HzsEGSMSlTIdOcVDKv3c8beQf0PaOCKYj9SptOEVyeL9 WMnQU3nYF8IICmtF7G4TcN9e4Xf7AS1sGxMkonu8g32/ukLss5ySFKkPkbmgTPqXqWv5KEqZSqT/1K0FqfIp0Yv6P/Vn5Yp9ASMB9V4TUgrWbcsDQd1denq6EprcN1ECXzLSWVOtQGVjn03TsrIul4vvx9MmFrrDHQZVcgLFI7vAofPMtJ8ZC9v899JN7n5buIh0mwJuitPS1y0vHvbJQpULvc7zK6zUuB8wcxtd5nRT1RPWb2ABDLnazBB9NBqN91Tdi1I VEjWgXNoZWGs/noNm2dpR5VC5VQSJ931uxW8MjlHOL7aniLfIDRtacH2 aD90fsl7Mmrsw1fcwi3zpl3S1 WmVaX0pxisjmG6372Mp3XNxBujZD6TdgHi8ZnJ1 VG1kpAb0EH2Q7LmpQoMwhmU1Rx1hGcXvLBmD0MM0oN69HfN81DP97Hh9gFQjfkAWAIMVoAGuXPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation

svchost.exe_1288_rwx_01000000_00006000:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mofcomp.exe:3692
    %original file name%.exe:1004
    WindowsXP-KB968930-x86-ENG.exe:1256
    ngen.exe:2476
    ngen.exe:2612
    ngen.exe:2928
    ngen.exe:2636
    ngen.exe:3064
    ngen.exe:3044
    ngen.exe:2568
    ngen.exe:2540
    ngen.exe:2544
    ngen.exe:2560
    ngen.exe:3020
    ngen.exe:3088
    ngen.exe:2508
    ngen.exe:2500
    ngen.exe:2604
    ngen.exe:2624
    ngen.exe:2628
    ngen.exe:3072
    ngen.exe:2552
    ngen.exe:2576
    ngen.exe:2492
    ngen.exe:2412
    ngen.exe:2516
    update.exe:2112
    PSCustomSetupUtil.exe:3824
    PSCustomSetupUtil.exe:2716
    PSCustomSetupUtil.exe:3924
    PSCustomSetupUtil.exe:1168
    PSCustomSetupUtil.exe:2892
    PSCustomSetupUtil.exe:4044
    PSCustomSetupUtil.exe:1420
    PSCustomSetupUtil.exe:2052
    PSCustomSetupUtil.exe:2740
    PSCustomSetupUtil.exe:3972
    PSCustomSetupUtil.exe:3892
    PSCustomSetupUtil.exe:2072
    PSCustomSetupUtil.exe:2668
    PSCustomSetupUtil.exe:2648
    PSCustomSetupUtil.exe:2872
    PSCustomSetupUtil.exe:2816
    PSCustomSetupUtil.exe:2708
    PSCustomSetupUtil.exe:3748
    PSCustomSetupUtil.exe:304
    PSCustomSetupUtil.exe:2764
    PSCustomSetupUtil.exe:1596
    PSCustomSetupUtil.exe:3996
    PSCustomSetupUtil.exe:4072
    PSCustomSetupUtil.exe:472
    PSCustomSetupUtil.exe:2000
    PSCustomSetupUtil.exe:3848
    PSSetupNativeUtils.exe:3368
    mscorsvw.exe:3948
    mscorsvw.exe:3492
    mscorsvw.exe:3828
    mscorsvw.exe:3048
    mscorsvw.exe:3672
    mscorsvw.exe:2460
    mscorsvw.exe:3552
    mscorsvw.exe:3120
    mscorsvw.exe:2348
    mscorsvw.exe:320
    mscorsvw.exe:3180
    mscorsvw.exe:2660
    mscorsvw.exe:2684
    mscorsvw.exe:424
    mscorsvw.exe:3764
    mscorsvw.exe:184
    mscorsvw.exe:2932
    mscorsvw.exe:2836
    mscorsvw.exe:3528
    mscorsvw.exe:3560
    mscorsvw.exe:3396
    mscorsvw.exe:3080
    mscorsvw.exe:2020
    mscorsvw.exe:2140
    mscorsvw.exe:2100
    wsmanhttpconfig.exe:3664
    wsmanhttpconfig.exe:3576

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%\wbem\Logs\mofcomp.log (1068 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
    C:\e86a9d383afd90415e\update\update.exe (10748 bytes)
    C:\e86a9d383afd90415e\about_session_configurations.help.txt (276 bytes)
    C:\e86a9d383afd90415e\update\update.ver (14 bytes)
    C:\e86a9d383afd90415e\about_remote_output.help.txt (887 bytes)
    C:\e86a9d383afd90415e\diagnostics.format.ps1xml (590 bytes)
    C:\e86a9d383afd90415e\about_path_syntax.help.txt (5 bytes)
    C:\e86a9d383afd90415e\about_aliases.help.txt (6 bytes)
    C:\e86a9d383afd90415e\profile.ps1 (772 bytes)
    C:\e86a9d383afd90415e\about_redirection.help.txt (2 bytes)
    C:\e86a9d383afd90415e\dotnettypes.format.ps1xml (266 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.gpowershell.dll (9738 bytes)
    C:\e86a9d383afd90415e\wsmpty.xsl (1 bytes)
    C:\e86a9d383afd90415e\microsoft.wsman.runtime.dll (33 bytes)
    C:\e86a9d383afd90415e\about_commonparameters.help.txt (12 bytes)
    C:\e86a9d383afd90415e\about_regular_expressions.help.txt (5 bytes)
    C:\e86a9d383afd90415e\wsmsvc.dll (15909 bytes)
    C:\e86a9d383afd90415e\windowspowershellhelp.chm (26041 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.commands.management.dll (3386 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
    C:\e86a9d383afd90415e\winrm.cmd (35 bytes)
    C:\e86a9d383afd90415e\winrssrv.dll (12 bytes)
    C:\e86a9d383afd90415e\microsoft.wsman.management.dll (5010 bytes)
    C:\e86a9d383afd90415e\about_ref.help.txt (1 bytes)
    C:\e86a9d383afd90415e\pspluginwkr.dll (1756 bytes)
    C:\e86a9d383afd90415e\wsmanhttpconfig.exe (3009 bytes)
    C:\e86a9d383afd90415e\eventforwarding.adm (2 bytes)
    C:\e86a9d383afd90415e\about_remote_troubleshooting.help.txt (146 bytes)
    C:\e86a9d383afd90415e\about_wmi_cmdlets.help.txt (8 bytes)
    C:\e86a9d383afd90415e\powershell_ise.exe (2526 bytes)
    C:\e86a9d383afd90415e\about_logical_operators.help.txt (2 bytes)
    C:\e86a9d383afd90415e\winrsmgr.dll (2 bytes)
    C:\e86a9d383afd90415e\about_try_catch_finally.help.txt (7 bytes)
    C:\e86a9d383afd90415e\about_parameters.help.txt (9 bytes)
    C:\e86a9d383afd90415e\about_arithmetic_operators.help.txt (168 bytes)
    C:\e86a9d383afd90415e\about_functions_cmdletbindingattribute.help.txt (3 bytes)
    C:\e86a9d383afd90415e\about_job_details.help.txt (824 bytes)
    C:\e86a9d383afd90415e\about_special_characters.help.txt (3 bytes)
    C:\e86a9d383afd90415e\about_pssnapins.help.txt (6 bytes)
    C:\e86a9d383afd90415e\wtrinstaller.ico (4803 bytes)
    C:\e86a9d383afd90415e\about_quoting_rules.help.txt (659 bytes)
    C:\e86a9d383afd90415e\filesystem.format.ps1xml (133 bytes)
    C:\e86a9d383afd90415e\bitstransfer.format.ps1xml (16 bytes)
    C:\e86a9d383afd90415e\about_pssessions.help.txt (9 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.editor.dll (14450 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.graphicalhost.dll (4408 bytes)
    C:\e86a9d383afd90415e\about_command_syntax.help.txt (5 bytes)
    C:\e86a9d383afd90415e\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
    C:\$Directory (800 bytes)
    C:\e86a9d383afd90415e\update\kb968930xp.cat (512 bytes)
    C:\e86a9d383afd90415e\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
    C:\e86a9d383afd90415e\about_scopes.help.txt (76 bytes)
    C:\e86a9d383afd90415e\about_ws-management_cmdlets.help.txt (405 bytes)
    C:\e86a9d383afd90415e\about_while.help.txt (2 bytes)
    C:\e86a9d383afd90415e\winrmprov.dll (591 bytes)
    C:\e86a9d383afd90415e\about_windows_powershell_ise.help.txt (6 bytes)
    C:\e86a9d383afd90415e\about_remote_faq.help.txt (775 bytes)
    C:\e86a9d383afd90415e\about_properties.help.txt (7 bytes)
    C:\e86a9d383afd90415e\about_reserved_words.help.txt (1 bytes)
    C:\e86a9d383afd90415e\about_parsing.help.txt (2 bytes)
    C:\e86a9d383afd90415e\about_history.help.txt (3 bytes)
    C:\e86a9d383afd90415e\bitstransfer.psd1 (950 bytes)
    C:\e86a9d383afd90415e\about_operators.help.txt (770 bytes)
    C:\e86a9d383afd90415e\about_script_internationalization.help.txt (9 bytes)
    C:\e86a9d383afd90415e\about_variables.help.txt (6 bytes)
    C:\e86a9d383afd90415e\about_profiles.help.txt (457 bytes)
    C:\e86a9d383afd90415e\update\updspapi.dll (5940 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.commands.utility.resources.dll (508 bytes)
    C:\e86a9d383afd90415e\about_line_editing.help.txt (1 bytes)
    C:\e86a9d383afd90415e\wsmauto.dll (1842 bytes)
    C:\e86a9d383afd90415e\wevtfwd.dll (3351 bytes)
    C:\e86a9d383afd90415e\powershelltrace.format.ps1xml (344 bytes)
    C:\e86a9d383afd90415e\about_eventlogs.help.txt (5 bytes)
    C:\e86a9d383afd90415e\winrscmd.dll (2907 bytes)
    C:\e86a9d383afd90415e\wsmprovhost.exe (657 bytes)
    C:\e86a9d383afd90415e\getevent.types.ps1xml (15 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.gpowershell.resources.dll (408 bytes)
    C:\e86a9d383afd90415e\pwrshsip.dll (24 bytes)
    C:\e86a9d383afd90415e\help.format.ps1xml (3947 bytes)
    C:\e86a9d383afd90415e\about_modules.help.txt (13 bytes)
    C:\e86a9d383afd90415e\about_assignment_operators.help.txt (379 bytes)
    C:\e86a9d383afd90415e\about_functions.help.txt (586 bytes)
    C:\e86a9d383afd90415e\registry.format.ps1xml (20 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
    C:\e86a9d383afd90415e\powershellcore.format.ps1xml (1492 bytes)
    C:\e86a9d383afd90415e\about_windows_powershell_2.0.help.txt (453 bytes)
    C:\e86a9d383afd90415e\about_requires.help.txt (2 bytes)
    C:\e86a9d383afd90415e\about_throw.help.txt (5 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.security.dll-help.xml (1797 bytes)
    C:\e86a9d383afd90415e\update\update.inf (2457 bytes)
    C:\e86a9d383afd90415e\windowsremotemanagement.adm (574 bytes)
    C:\e86a9d383afd90415e\update\spcustom.dll (23 bytes)
    C:\e86a9d383afd90415e\winrshost.exe (22 bytes)
    C:\e86a9d383afd90415e\about_types.ps1xml.help.txt (481 bytes)
    C:\e86a9d383afd90415e\about_scripts.help.txt (12 bytes)
    C:\e86a9d383afd90415e\system.management.automation.resources.dll (3153 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
    C:\e86a9d383afd90415e\about_functions_advanced_parameters.help.txt (962 bytes)
    C:\e86a9d383afd90415e\about_split.help.txt (10 bytes)
    C:\e86a9d383afd90415e\about_objects.help.txt (2 bytes)
    C:\e86a9d383afd90415e\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.editor.resources.dll (562 bytes)
    C:\e86a9d383afd90415e\about_break.help.txt (792 bytes)
    C:\e86a9d383afd90415e\about_if.help.txt (3 bytes)
    C:\e86a9d383afd90415e\about_type_operators.help.txt (5 bytes)
    C:\e86a9d383afd90415e\about_command_precedence.help.txt (8 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
    C:\e86a9d383afd90415e\about_arrays.help.txt (8 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.commands.diagnostics.dll (998 bytes)
    C:\e86a9d383afd90415e\about_preference_variables.help.txt (37 bytes)
    C:\e86a9d383afd90415e\pwrshmsg.dll (4 bytes)
    C:\e86a9d383afd90415e\about_script_blocks.help.txt (3 bytes)
    C:\e86a9d383afd90415e\$shtdwn$.req (788 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
    C:\e86a9d383afd90415e\windowsremoteshell.adm (12 bytes)
    C:\e86a9d383afd90415e\about_transactions.help.txt (1011 bytes)
    C:\e86a9d383afd90415e\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
    C:\e86a9d383afd90415e\about_do.help.txt (2 bytes)
    C:\e86a9d383afd90415e\wsmtxt.xsl (2 bytes)
    C:\e86a9d383afd90415e\about_format.ps1xml.help.txt (17 bytes)
    C:\e86a9d383afd90415e\default.help.txt (2 bytes)
    C:\e86a9d383afd90415e\powershell_ise.resources.dll (4 bytes)
    C:\e86a9d383afd90415e\importallmodules.psd1 (438 bytes)
    C:\e86a9d383afd90415e\about_remote.help.txt (7 bytes)
    C:\e86a9d383afd90415e\pssetupnativeutils.exe (9 bytes)
    C:\e86a9d383afd90415e\about_wildcards.help.txt (3 bytes)
    C:\e86a9d383afd90415e\system.management.automation.dll (38414 bytes)
    C:\e86a9d383afd90415e\about_pssession_details.help.txt (9 bytes)
    C:\e86a9d383afd90415e\winrm.vbs (2727 bytes)
    C:\e86a9d383afd90415e\about_return.help.txt (3 bytes)
    C:\e86a9d383afd90415e\about_continue.help.txt (1 bytes)
    C:\e86a9d383afd90415e\about_trap.help.txt (10 bytes)
    C:\e86a9d383afd90415e\about_for.help.txt (146 bytes)
    C:\e86a9d383afd90415e\about_execution_policies.help.txt (13 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.consolehost.resources.dll (778 bytes)
    C:\e86a9d383afd90415e\about_signing.help.txt (12 bytes)
    C:\e86a9d383afd90415e\about_functions_advanced.help.txt (3 bytes)
    C:\e86a9d383afd90415e\system.management.automation.dll-help.xml (16567 bytes)
    C:\e86a9d383afd90415e\about_core_commands.help.txt (221 bytes)
    C:\e86a9d383afd90415e\about_language_keywords.help.txt (11 bytes)
    C:\e86a9d383afd90415e\about_automatic_variables.help.txt (14 bytes)
    C:\e86a9d383afd90415e\about_locations.help.txt (794 bytes)
    C:\e86a9d383afd90415e\wsmplpxy.dll (603 bytes)
    C:\e86a9d383afd90415e\update\eula.txt (586 bytes)
    C:\e86a9d383afd90415e\about_escape_characters.help.txt (2 bytes)
    C:\e86a9d383afd90415e\about_remote_requirements.help.txt (6 bytes)
    C:\e86a9d383afd90415e\about_hash_tables.help.txt (6 bytes)
    C:\e86a9d383afd90415e\wsmres.dll (6164 bytes)
    C:\e86a9d383afd90415e\about_foreach.help.txt (10 bytes)
    C:\e86a9d383afd90415e\about_pipelines.help.txt (411 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.security.resources.dll (9 bytes)
    C:\e86a9d383afd90415e\about_comment_based_help.help.txt (595 bytes)
    C:\e86a9d383afd90415e\spuninst.exe (3787 bytes)
    C:\e86a9d383afd90415e\pwrshplugin.dll (802 bytes)
    C:\e86a9d383afd90415e\winrmprov.mof (789 bytes)
    C:\e86a9d383afd90415e\wsmauto.mof (4 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
    C:\e86a9d383afd90415e\about_environment_variables.help.txt (417 bytes)
    C:\e86a9d383afd90415e\powershell.exe.mui (10 bytes)
    C:\e86a9d383afd90415e\microsoft.powershell.commands.management.resources.dll (508 bytes)
    C:\e86a9d383afd90415e\certificate.format.ps1xml (155 bytes)
    C:\e86a9d383afd90415e\types.ps1xml (2510 bytes)
    C:\e86a9d383afd90415e\about_bits_cmdlets.help.txt (7 bytes)
    C:\e86a9d383afd90415e\about_switch.help.txt (489 bytes)
    C:\e86a9d383afd90415e\about_comparison_operators.help.txt (11 bytes)
    C:\e86a9d383afd90415e\wsmwmipl.dll (2816 bytes)
    C:\e86a9d383afd90415e\about_jobs.help.txt (12 bytes)
    C:\e86a9d383afd90415e\spupdsvc.exe (287 bytes)
    C:\e86a9d383afd90415e\about_functions_advanced_methods.help.txt (9 bytes)
    C:\e86a9d383afd90415e\winrm.ini (1956 bytes)
    C:\e86a9d383afd90415e\about_providers.help.txt (59 bytes)
    C:\e86a9d383afd90415e\about_prompts.help.txt (7 bytes)
    C:\e86a9d383afd90415e\microsoft.wsman.management.resources.dll (13 bytes)
    C:\e86a9d383afd90415e\about_join.help.txt (2 bytes)
    C:\e86a9d383afd90415e\microsoft.wsman.management.dll-help.xml (8740 bytes)
    C:\e86a9d383afd90415e\about_remote_jobs.help.txt (13 bytes)
    C:\e86a9d383afd90415e\winrs.exe (1154 bytes)
    C:\e86a9d383afd90415e\wsman.format.ps1xml (837 bytes)
    C:\e86a9d383afd90415e\about_methods.help.txt (6 bytes)
    C:\e86a9d383afd90415e\about_data_sections.help.txt (5 bytes)
    C:\e86a9d383afd90415e\spmsg.dll (495 bytes)
    C:\e86a9d383afd90415e\pscustomsetuputil.exe (316 bytes)
    C:\e86a9d383afd90415e\about_debuggers.help.txt (21 bytes)
    C:\e86a9d383afd90415e\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)
    %System%\SETBF.tmp (42 bytes)
    %WinDir%\ocmsn.log (7791 bytes)
    %System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
    %System%\SET12.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
    %System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
    %System%\SETC.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
    %System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
    %System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
    %System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
    %System%\SET2D.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
    %System%\SET25.tmp (1281 bytes)
    %System%\SET13.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
    %System%\SET20.tmp (2 bytes)
    %System%\SET14.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
    %System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
    %WinDir%\inf\SET32.tmp (38 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
    %System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
    %System%\SET2A.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
    %System%\SET7.tmp (35 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
    %System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
    %WinDir%\msmqinst.log (5468 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
    %WinDir%\tsoc.log (79170 bytes)
    %System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
    %System%\SET22.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
    %System%\spmsg.dll (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
    %System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
    %System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
    %System%\SET2B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
    %WinDir%\inf\SET18.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
    %System%\SETE.tmp (22 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
    %System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
    %System%\SET6.tmp (2 bytes)
    %System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
    %System%\wbem\SET4.tmp (4 bytes)
    %System%\SET17.tmp (673 bytes)
    %WinDir%\tabletoc.log (2313 bytes)
    %System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
    %System%\SETA.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
    %System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
    %WinDir%\MedCtrOC.log (8910 bytes)
    %System%\config\SYSTEM.LOG (5305 bytes)
    %System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
    %System%\SET27.tmp (601 bytes)
    %System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
    %System%\SET11.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
    %System%\SET8.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
    %WinDir%\msgsocm.log (6541 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
    %System%\SETF.tmp (1281 bytes)
    %System%\SET10.tmp (2 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
    %System%\SET26.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
    %System%\SET21.tmp (35 bytes)
    %System%\config\system (2400 bytes)
    %System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
    %System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
    %WinDir%\SECD0.tmp (1897 bytes)
    %System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
    %WinDir%\imsins.log (3792 bytes)
    %System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
    %System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
    %System%\SET16.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
    %System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
    %System%\CatRoot2\dberr.txt (1579 bytes)
    %WinDir%\inf\oem11.PNF (9992 bytes)
    %System%\SETB.tmp (1281 bytes)
    %System%\SET1F.tmp (1 bytes)
    %WinDir%\iis6.log (138780 bytes)
    %WinDir%\comsetup.log (48646 bytes)
    %System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
    %System%\spupdsvc.exe (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
    %System%\SET28.tmp (22 bytes)
    %System%\SET5.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
    %System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
    %System%\SET31.tmp (673 bytes)
    %System%\SET2E.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
    %System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
    %System%\SET29.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
    %System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
    %System%\SET2C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
    %WinDir%\KB968930.log (244906 bytes)
    %System%\SET15.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
    %WinDir%\ntdtcsetup.log (22997 bytes)
    %System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
    %System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
    %System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
    %System%\SET24.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
    %System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
    %System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
    %WinDir%\FaxSetup.log (53338 bytes)
    %System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
    %System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
    %WinDir%\KB968930xp.cat (59 bytes)
    %System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
    %System%\winrm\0409\SET1D.tmp (601 bytes)
    %System%\SETD.tmp (601 bytes)
    %WinDir%\inf\SET19.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
    %System%\SET9.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
    %System%\winrm\0409\SET37.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
    %System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
    %WinDir%\ocgen.log (71000 bytes)
    %System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
    %System%\SET2F.tmp (789 bytes)
    %WinDir%\Help\SETC5.tmp (12287 bytes)
    %System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
    %WinDir%\inf\oem11.inf (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
    %System%\SET30.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
    %System%\wbem\SET1E.tmp (4 bytes)
    %System%\SET23.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
    %WinDir%\netfxocm.log (9089 bytes)
    %System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
    %WinDir%\inf\SET33.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
    %WinDir%\assembly\tmp\QHMRW27C\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
    %WinDir%\assembly\tmp\E5AFKOTX\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
    %WinDir%\assembly\tmp\A38DJOTY\Microsoft.PowerShell.Security.dll (2392 bytes)
    %WinDir%\assembly\tmp\A16BGLQV\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\RINSX27D\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\OFKPV05A\Microsoft.WSMan.Management.dll (9608 bytes)
    %WinDir%\assembly\tmp\JCHNSX27\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
    %WinDir%\assembly\tmp\C27CINSX\Microsoft.WSMan.Management.resources.dll (13 bytes)
    %WinDir%\assembly\tmp\B16BHMRW\Microsoft.PowerShell.Editor.dll (32824 bytes)
    %WinDir%\assembly\tmp\QIOTY39E\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
    %WinDir%\assembly\tmp\5X27CINS\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
    %WinDir%\assembly\tmp\D38DIOTY\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
    %WinDir%\assembly\tmp\C28DINTY\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
    %WinDir%\assembly\tmp\H7CHNSX2\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
    %WinDir%\assembly\tmp\QINSX16A\System.Management.Automation.dll (81046 bytes)
    %WinDir%\assembly\tmp\LBGLQV05\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\J9FKPUZ5\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
    %WinDir%\assembly\tmp\A06BGLQV\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\SJOTY39E\Microsoft.WSMan.Runtime.dll (7 bytes)
    %WinDir%\assembly\tmp\7Z49FKPU\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
    %WinDir%\assembly\tmp\ZRW17CHM\System.Management.Automation.resources.dll (9320 bytes)
    %WinDir%\assembly\tmp\905AFLQV\Microsoft.PowerShell.Security.resources.dll (9 bytes)
    %WinDir%\assembly\tmp\SJOTY38E\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now