Gen.Variant.Mikey.14806_79c26fa7c0

by malwarelabrobot on July 6th, 2015 in Malware Descriptions.

Trojan.Win32.Inject.uxea (Kaspersky), Gen:Variant.Mikey.14806 (B) (Emsisoft), Gen:Variant.Mikey.14806 (AdAware), Backdoor.Win32.Farfli.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 79c26fa7c0f35c6bbfd771f85a2d0f7e
SHA1: 2f79e1223f61b540eef023fd465c31cfcf3ce77b
SHA256: 863270943609c243a13c357e0bb8930480f9cfc7043d0cef844bbad66708f50c
SSDeep: 6144:HkQP53/E7ric1baDD8GNlw6QIRS7yF3lYyRY2wFAUnscA9tVijYmXrgScvuEO6MU:HkQP53/E7rDsl7nTUs3lYf2yA0sHPijk
Size: 376887 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-06-05 14:07:38
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mofcomp.exe:2104
WindowsXP-KB968930-x86-ENG.exe:1508
ngen.exe:2968
ngen.exe:3060
ngen.exe:3000
ngen.exe:3148
ngen.exe:3164
ngen.exe:3068
ngen.exe:3044
ngen.exe:3476
ngen.exe:3108
ngen.exe:3100
ngen.exe:3516
ngen.exe:3124
ngen.exe:3020
ngen.exe:3080
ngen.exe:3484
ngen.exe:3524
ngen.exe:3156
ngen.exe:3052
ngen.exe:3508
ngen.exe:3012
ngen.exe:3116
ngen.exe:3468
ngen.exe:3092
update.exe:1304
PSCustomSetupUtil.exe:2292
PSCustomSetupUtil.exe:3320
PSCustomSetupUtil.exe:3292
PSCustomSetupUtil.exe:3348
PSCustomSetupUtil.exe:2204
PSCustomSetupUtil.exe:3212
PSCustomSetupUtil.exe:2484
PSCustomSetupUtil.exe:2548
PSCustomSetupUtil.exe:2268
PSCustomSetupUtil.exe:2380
PSCustomSetupUtil.exe:2664
PSCustomSetupUtil.exe:2640
PSCustomSetupUtil.exe:2744
PSCustomSetupUtil.exe:2508
PSCustomSetupUtil.exe:3188
PSCustomSetupUtil.exe:2444
PSCustomSetupUtil.exe:2228
PSCustomSetupUtil.exe:2420
PSCustomSetupUtil.exe:2704
PSCustomSetupUtil.exe:2608
PSCustomSetupUtil.exe:3268
PSCustomSetupUtil.exe:3172
PSCustomSetupUtil.exe:3228
PSCustomSetupUtil.exe:3372
PSCustomSetupUtil.exe:2144
PSCustomSetupUtil.exe:2356
PSSetupNativeUtils.exe:3644
mscorsvw.exe:3948
mscorsvw.exe:2964
mscorsvw.exe:2900
mscorsvw.exe:1340
mscorsvw.exe:2636
mscorsvw.exe:2452
mscorsvw.exe:3000
mscorsvw.exe:276
mscorsvw.exe:3148
mscorsvw.exe:2800
mscorsvw.exe:4060
mscorsvw.exe:1964
mscorsvw.exe:3796
mscorsvw.exe:4004
mscorsvw.exe:2480
mscorsvw.exe:2984
mscorsvw.exe:524
mscorsvw.exe:2368
mscorsvw.exe:1816
mscorsvw.exe:3884
mscorsvw.exe:3240
mscorsvw.exe:2312
mscorsvw.exe:2084
mscorsvw.exe:2144
mscorsvw.exe:2516
wsmanhttpconfig.exe:1612
wsmanhttpconfig.exe:2084
%original file name%.exe:464

The Trojan injects its code into the following process(es):

svchost.exe:1416
svchost.exe:240

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mofcomp.exe:2104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)

The process WindowsXP-KB968930-x86-ENG.exe:1508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\6209a3ef056193fd0c3a8c\winrssrv.dll (12 bytes)
C:\6209a3ef056193fd0c3a8c\help.format.ps1xml (3947 bytes)
C:\6209a3ef056193fd0c3a8c\winrm.cmd (35 bytes)
C:\6209a3ef056193fd0c3a8c\about_logical_operators.help.txt (2 bytes)
C:\6209a3ef056193fd0c3a8c\wsmsvc.dll (15909 bytes)
C:\6209a3ef056193fd0c3a8c\about_ws-management_cmdlets.help.txt (405 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\6209a3ef056193fd0c3a8c\about_comparison_operators.help.txt (11 bytes)
C:\6209a3ef056193fd0c3a8c\about_operators.help.txt (770 bytes)
C:\6209a3ef056193fd0c3a8c\importallmodules.psd1 (438 bytes)
C:\6209a3ef056193fd0c3a8c\about_regular_expressions.help.txt (5 bytes)
C:\6209a3ef056193fd0c3a8c\about_windows_powershell_ise.help.txt (6 bytes)
C:\6209a3ef056193fd0c3a8c\wsmauto.mof (4 bytes)
C:\6209a3ef056193fd0c3a8c\types.ps1xml (2510 bytes)
C:\6209a3ef056193fd0c3a8c\about_types.ps1xml.help.txt (481 bytes)
C:\6209a3ef056193fd0c3a8c\getevent.types.ps1xml (15 bytes)
C:\6209a3ef056193fd0c3a8c\about_preference_variables.help.txt (37 bytes)
C:\6209a3ef056193fd0c3a8c\about_pssnapins.help.txt (6 bytes)
C:\6209a3ef056193fd0c3a8c\spuninst.exe (3787 bytes)
C:\6209a3ef056193fd0c3a8c\about_escape_characters.help.txt (2 bytes)
C:\6209a3ef056193fd0c3a8c\about_bits_cmdlets.help.txt (7 bytes)
C:\6209a3ef056193fd0c3a8c\about_prompts.help.txt (7 bytes)
C:\6209a3ef056193fd0c3a8c\update\eula.txt (586 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\6209a3ef056193fd0c3a8c\powershellcore.format.ps1xml (1492 bytes)
C:\6209a3ef056193fd0c3a8c\about_format.ps1xml.help.txt (17 bytes)
C:\6209a3ef056193fd0c3a8c\pscustomsetuputil.exe (316 bytes)
C:\6209a3ef056193fd0c3a8c\winrmprov.dll (591 bytes)
C:\6209a3ef056193fd0c3a8c\about_try_catch_finally.help.txt (7 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\6209a3ef056193fd0c3a8c\about_variables.help.txt (6 bytes)
C:\6209a3ef056193fd0c3a8c\about_continue.help.txt (1 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.security.resources.dll (9 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.wsman.management.resources.dll (13 bytes)
C:\6209a3ef056193fd0c3a8c\windowspowershellhelp.chm (26041 bytes)
C:\6209a3ef056193fd0c3a8c\about_foreach.help.txt (10 bytes)
C:\6209a3ef056193fd0c3a8c\wtrinstaller.ico (4803 bytes)
C:\6209a3ef056193fd0c3a8c\about_trap.help.txt (10 bytes)
C:\6209a3ef056193fd0c3a8c\about_for.help.txt (146 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\6209a3ef056193fd0c3a8c\about_profiles.help.txt (457 bytes)
C:\6209a3ef056193fd0c3a8c\winrs.exe (1154 bytes)
C:\6209a3ef056193fd0c3a8c\about_pipelines.help.txt (411 bytes)
C:\6209a3ef056193fd0c3a8c\about_signing.help.txt (12 bytes)
C:\6209a3ef056193fd0c3a8c\powershell_ise.exe (2526 bytes)
C:\6209a3ef056193fd0c3a8c\wevtfwd.dll (3351 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.editor.resources.dll (562 bytes)
C:\6209a3ef056193fd0c3a8c\about_history.help.txt (3 bytes)
C:\6209a3ef056193fd0c3a8c\update\updspapi.dll (5940 bytes)
C:\6209a3ef056193fd0c3a8c\certificate.format.ps1xml (155 bytes)
C:\6209a3ef056193fd0c3a8c\bitstransfer.psd1 (950 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\6209a3ef056193fd0c3a8c\about_properties.help.txt (7 bytes)
C:\6209a3ef056193fd0c3a8c\about_remote_troubleshooting.help.txt (146 bytes)
C:\6209a3ef056193fd0c3a8c\about_command_syntax.help.txt (5 bytes)
C:\6209a3ef056193fd0c3a8c\update\update.exe (10748 bytes)
C:\6209a3ef056193fd0c3a8c\wsmpty.xsl (1 bytes)
C:\6209a3ef056193fd0c3a8c\about_special_characters.help.txt (3 bytes)
C:\6209a3ef056193fd0c3a8c\powershell.exe (7339 bytes)
C:\6209a3ef056193fd0c3a8c\update\kb968930xp.cat (512 bytes)
C:\6209a3ef056193fd0c3a8c\update\update.ver (14 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.security.dll (1145 bytes)
C:\6209a3ef056193fd0c3a8c\powershelltrace.format.ps1xml (344 bytes)
C:\6209a3ef056193fd0c3a8c\wsman.format.ps1xml (837 bytes)
C:\6209a3ef056193fd0c3a8c\about_jobs.help.txt (12 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\6209a3ef056193fd0c3a8c\about_comment_based_help.help.txt (595 bytes)
C:\6209a3ef056193fd0c3a8c\about_switch.help.txt (489 bytes)
C:\6209a3ef056193fd0c3a8c\about_remote_jobs.help.txt (13 bytes)
C:\6209a3ef056193fd0c3a8c\about_windows_powershell_2.0.help.txt (453 bytes)
C:\6209a3ef056193fd0c3a8c\profile.ps1 (772 bytes)
C:\6209a3ef056193fd0c3a8c\spmsg.dll (495 bytes)
C:\6209a3ef056193fd0c3a8c\about_return.help.txt (3 bytes)
C:\6209a3ef056193fd0c3a8c\wsmauto.dll (1842 bytes)
C:\6209a3ef056193fd0c3a8c\pwrshmsg.dll (4 bytes)
C:\6209a3ef056193fd0c3a8c\about_data_sections.help.txt (5 bytes)
C:\6209a3ef056193fd0c3a8c\about_session_configurations.help.txt (276 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\6209a3ef056193fd0c3a8c\about_eventlogs.help.txt (5 bytes)
C:\6209a3ef056193fd0c3a8c\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\6209a3ef056193fd0c3a8c\about_modules.help.txt (13 bytes)
C:\6209a3ef056193fd0c3a8c\about_wmi_cmdlets.help.txt (8 bytes)
C:\6209a3ef056193fd0c3a8c\pssetupnativeutils.exe (9 bytes)
C:\6209a3ef056193fd0c3a8c\about_requires.help.txt (2 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\6209a3ef056193fd0c3a8c\about_parsing.help.txt (2 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.management.dll (3386 bytes)
C:\6209a3ef056193fd0c3a8c\spupdsvc.exe (287 bytes)
C:\6209a3ef056193fd0c3a8c\about_assignment_operators.help.txt (379 bytes)
C:\6209a3ef056193fd0c3a8c\about_commonparameters.help.txt (12 bytes)
C:\6209a3ef056193fd0c3a8c\about_path_syntax.help.txt (5 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\6209a3ef056193fd0c3a8c\about_scopes.help.txt (76 bytes)
C:\6209a3ef056193fd0c3a8c\system.management.automation.resources.dll (3153 bytes)
C:\6209a3ef056193fd0c3a8c\about_core_commands.help.txt (221 bytes)
C:\6209a3ef056193fd0c3a8c\wsmres.dll (6164 bytes)
C:\6209a3ef056193fd0c3a8c\eventforwarding.adm (2 bytes)
C:\6209a3ef056193fd0c3a8c\registry.format.ps1xml (20 bytes)
C:\6209a3ef056193fd0c3a8c\about_debuggers.help.txt (21 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\6209a3ef056193fd0c3a8c\about_do.help.txt (2 bytes)
C:\6209a3ef056193fd0c3a8c\update\spcustom.dll (23 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\6209a3ef056193fd0c3a8c\about_remote.help.txt (7 bytes)
C:\6209a3ef056193fd0c3a8c\update (4 bytes)
C:\6209a3ef056193fd0c3a8c\about_command_precedence.help.txt (8 bytes)
C:\6209a3ef056193fd0c3a8c\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\6209a3ef056193fd0c3a8c\about_remote_requirements.help.txt (6 bytes)
C:\6209a3ef056193fd0c3a8c\about_remote_faq.help.txt (775 bytes)
C:\6209a3ef056193fd0c3a8c\about_join.help.txt (2 bytes)
C:\6209a3ef056193fd0c3a8c\update\update.inf (2457 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.consolehost.dll (3118 bytes)
C:\6209a3ef056193fd0c3a8c\winrscmd.dll (2907 bytes)
C:\6209a3ef056193fd0c3a8c\about_line_editing.help.txt (1 bytes)
C:\6209a3ef056193fd0c3a8c\dotnettypes.format.ps1xml (266 bytes)
C:\6209a3ef056193fd0c3a8c\about_reserved_words.help.txt (1 bytes)
C:\6209a3ef056193fd0c3a8c\system.management.automation.dll (38414 bytes)
C:\6209a3ef056193fd0c3a8c\wsmplpxy.dll (603 bytes)
C:\6209a3ef056193fd0c3a8c\winrsmgr.dll (2 bytes)
C:\6209a3ef056193fd0c3a8c\about_throw.help.txt (5 bytes)
C:\6209a3ef056193fd0c3a8c\about_aliases.help.txt (6 bytes)
C:\6209a3ef056193fd0c3a8c\system.management.automation.dll-help.xml (16567 bytes)
C:\6209a3ef056193fd0c3a8c\wsmanhttpconfig.exe (3009 bytes)
C:\6209a3ef056193fd0c3a8c\about_functions_advanced_parameters.help.txt (962 bytes)
C:\6209a3ef056193fd0c3a8c\filesystem.format.ps1xml (133 bytes)
C:\6209a3ef056193fd0c3a8c\winrmprov.mof (789 bytes)
C:\6209a3ef056193fd0c3a8c\about_script_internationalization.help.txt (9 bytes)
C:\6209a3ef056193fd0c3a8c\about_redirection.help.txt (2 bytes)
C:\6209a3ef056193fd0c3a8c\about_quoting_rules.help.txt (659 bytes)
C:\6209a3ef056193fd0c3a8c\about_ref.help.txt (1 bytes)
C:\6209a3ef056193fd0c3a8c\about_functions.help.txt (586 bytes)
C:\6209a3ef056193fd0c3a8c\default.help.txt (2 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.wsman.runtime.dll (33 bytes)
C:\6209a3ef056193fd0c3a8c\about_locations.help.txt (794 bytes)
C:\6209a3ef056193fd0c3a8c\about_arrays.help.txt (8 bytes)
C:\6209a3ef056193fd0c3a8c\about_execution_policies.help.txt (13 bytes)
C:\6209a3ef056193fd0c3a8c\wsmprovhost.exe (657 bytes)
C:\6209a3ef056193fd0c3a8c\about_if.help.txt (3 bytes)
C:\6209a3ef056193fd0c3a8c\about_language_keywords.help.txt (11 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\6209a3ef056193fd0c3a8c\pwrshplugin.dll (802 bytes)
C:\6209a3ef056193fd0c3a8c\about_providers.help.txt (59 bytes)
C:\6209a3ef056193fd0c3a8c\powershell_ise.resources.dll (4 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\6209a3ef056193fd0c3a8c\about_hash_tables.help.txt (6 bytes)
C:\6209a3ef056193fd0c3a8c\about_functions_advanced.help.txt (3 bytes)
C:\6209a3ef056193fd0c3a8c\about_environment_variables.help.txt (417 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\6209a3ef056193fd0c3a8c\about_pssessions.help.txt (9 bytes)
C:\6209a3ef056193fd0c3a8c\about_type_operators.help.txt (5 bytes)
C:\6209a3ef056193fd0c3a8c\pwrshsip.dll (24 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.wsman.management.dll (5010 bytes)
C:\6209a3ef056193fd0c3a8c\about_arithmetic_operators.help.txt (168 bytes)
C:\6209a3ef056193fd0c3a8c\wsmwmipl.dll (2816 bytes)
C:\6209a3ef056193fd0c3a8c\about_script_blocks.help.txt (3 bytes)
C:\6209a3ef056193fd0c3a8c\winrm.ini (1956 bytes)
C:\6209a3ef056193fd0c3a8c\winrshost.exe (22 bytes)
C:\6209a3ef056193fd0c3a8c\about_parameters.help.txt (9 bytes)
C:\6209a3ef056193fd0c3a8c\about_functions_advanced_methods.help.txt (9 bytes)
C:\6209a3ef056193fd0c3a8c\about_automatic_variables.help.txt (14 bytes)
C:\6209a3ef056193fd0c3a8c\about_while.help.txt (2 bytes)
C:\$Directory (800 bytes)
C:\6209a3ef056193fd0c3a8c\winrm.vbs (2727 bytes)
C:\6209a3ef056193fd0c3a8c\about_transactions.help.txt (1011 bytes)
C:\6209a3ef056193fd0c3a8c\about_remote_output.help.txt (887 bytes)
C:\6209a3ef056193fd0c3a8c\about_break.help.txt (792 bytes)
C:\6209a3ef056193fd0c3a8c\pspluginwkr.dll (1756 bytes)
C:\6209a3ef056193fd0c3a8c\about_objects.help.txt (2 bytes)
C:\6209a3ef056193fd0c3a8c\about_wildcards.help.txt (3 bytes)
C:\6209a3ef056193fd0c3a8c\about_scripts.help.txt (12 bytes)
C:\6209a3ef056193fd0c3a8c\diagnostics.format.ps1xml (590 bytes)
C:\6209a3ef056193fd0c3a8c\powershell.exe.mui (10 bytes)
C:\6209a3ef056193fd0c3a8c\about_job_details.help.txt (824 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\6209a3ef056193fd0c3a8c\$shtdwn$.req (788 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\6209a3ef056193fd0c3a8c\about_pssession_details.help.txt (9 bytes)
C:\6209a3ef056193fd0c3a8c\bitstransfer.format.ps1xml (16 bytes)
C:\6209a3ef056193fd0c3a8c\windowsremotemanagement.adm (574 bytes)
C:\6209a3ef056193fd0c3a8c\wsmtxt.xsl (2 bytes)
C:\6209a3ef056193fd0c3a8c\about_methods.help.txt (6 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.editor.dll (14450 bytes)
C:\6209a3ef056193fd0c3a8c\about_split.help.txt (10 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\6209a3ef056193fd0c3a8c\windowsremoteshell.adm (12 bytes)

The Trojan deletes the following file(s):

C:\6209a3ef056193fd0c3a8c\winrssrv.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_windows_powershell_ise.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\winrm.cmd (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_functions_advanced_parameters.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\update\update.ver (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_ws-management_cmdlets.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_history.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_operators.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_regular_expressions.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\help.format.ps1xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\wsmauto.mof (0 bytes)
C:\6209a3ef056193fd0c3a8c\wsmpty.xsl (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_types.ps1xml.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\getevent.types.ps1xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_preference_variables.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_pssnapins.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\spuninst.exe (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_debuggers.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_bits_cmdlets.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_prompts.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\update\eula.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\powershellcore.format.ps1xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_format.ps1xml.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\pscustomsetuputil.exe (0 bytes)
C:\6209a3ef056193fd0c3a8c\winrmprov.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_switch.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_variables.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_continue.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.wsman.management.resources.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\importallmodules.psd1 (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_language_keywords.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\wsmres.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_signing.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_foreach.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\wtrinstaller.ico (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_trap.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.security.resources.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_for.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_ref.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_profiles.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\winrs.exe (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_command_precedence.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_pipelines.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\windowspowershellhelp.chm (0 bytes)
C:\6209a3ef056193fd0c3a8c\powershell_ise.exe (0 bytes)
C:\6209a3ef056193fd0c3a8c\wevtfwd.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.editor.resources.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_comparison_operators.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\update\updspapi.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\certificate.format.ps1xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\bitstransfer.psd1 (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_remote_output.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_remote_troubleshooting.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_command_syntax.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\update\update.exe (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_special_characters.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\powershell.exe (0 bytes)
C:\6209a3ef056193fd0c3a8c\update\kb968930xp.cat (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.security.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\pspluginwkr.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\wsman.format.ps1xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_arrays.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.utility.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_comment_based_help.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_remote_jobs.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\profile.ps1 (0 bytes)
C:\6209a3ef056193fd0c3a8c\spmsg.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_return.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\wsmauto.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\pwrshmsg.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_data_sections.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_session_configurations.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_eventlogs.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_path_syntax.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_modules.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_wmi_cmdlets.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_reserved_words.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_parsing.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_functions_advanced.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_type_operators.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_assignment_operators.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_commonparameters.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_while.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\types.ps1xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_scopes.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\system.management.automation.resources.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\wsmprovhost.exe (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_core_commands.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\wsmsvc.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\eventforwarding.adm (0 bytes)
C:\6209a3ef056193fd0c3a8c\registry.format.ps1xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_escape_characters.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_do.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\update\spcustom.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.gpowershell.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_windows_powershell_2.0.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_remote.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\update (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_remote_requirements.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_remote_faq.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_join.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\update\update.inf (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.consolehost.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\system.management.automation.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\winrscmd.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_job_details.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\dotnettypes.format.ps1xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\pssetupnativeutils.exe (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_throw.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\wsmplpxy.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\winrsmgr.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_objects.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\system.management.automation.dll-help.xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\wsmanhttpconfig.exe (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_logical_operators.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\filesystem.format.ps1xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\winrmprov.mof (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_script_internationalization.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_quoting_rules.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_functions.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\default.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.wsman.runtime.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_locations.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_jobs.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_execution_policies.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_redirection.help.txt (0 bytes)
C:\_529265_ (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_if.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_requires.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c (0 bytes)
C:\6209a3ef056193fd0c3a8c\pwrshplugin.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_providers.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\powershell_ise.resources.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_hash_tables.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.management.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_environment_variables.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_pssessions.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\spupdsvc.exe (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_parameters.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\winrm.vbs (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_break.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\wsmwmipl.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_script_blocks.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\winrm.ini (0 bytes)
C:\6209a3ef056193fd0c3a8c\winrshost.exe (0 bytes)
C:\6209a3ef056193fd0c3a8c\pwrshsip.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_functions_advanced_methods.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_automatic_variables.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.wsman.management.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_transactions.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_properties.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_arithmetic_operators.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\powershelltrace.format.ps1xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_aliases.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_wildcards.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\powershell.exe.mui (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_scripts.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\diagnostics.format.ps1xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_try_catch_finally.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_line_editing.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_pssession_details.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\bitstransfer.format.ps1xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\windowsremotemanagement.adm (0 bytes)
C:\6209a3ef056193fd0c3a8c\wsmtxt.xsl (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_methods.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.editor.dll (0 bytes)
C:\6209a3ef056193fd0c3a8c\about_split.help.txt (0 bytes)
C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\6209a3ef056193fd0c3a8c\windowsremoteshell.adm (0 bytes)

The process ngen.exe:2968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)

The process ngen.exe:3060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)

The process ngen.exe:3000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)

The process ngen.exe:3148 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1140 bytes)

The process ngen.exe:3164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (826 bytes)

The process ngen.exe:3068 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)

The process ngen.exe:3044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)

The process ngen.exe:3476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (486 bytes)

The process ngen.exe:3108 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)

The process ngen.exe:3100 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)

The process ngen.exe:3516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1428 bytes)

The process ngen.exe:3124 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (800 bytes)

The process ngen.exe:3020 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)

The process ngen.exe:3080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)

The process ngen.exe:3484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (784 bytes)

The process ngen.exe:3524 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (746 bytes)

The process ngen.exe:3156 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (474 bytes)

The process ngen.exe:3052 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)

The process ngen.exe:3508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1106 bytes)

The process ngen.exe:3012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)

The process ngen.exe:3116 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (468 bytes)

The process ngen.exe:3468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1184 bytes)

The process ngen.exe:3092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)

The process update.exe:1304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\SETBF.tmp (42 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%WinDir%\inf\oem10.PNF (10040 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%WinDir%\msmqinst.log (5122 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (7577 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (5372 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%WinDir%\SECD0.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%WinDir%\imsins.log (3604 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%WinDir%\iis6.log (140211 bytes)
%WinDir%\comsetup.log (49590 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (242490 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%WinDir%\ntdtcsetup.log (22691 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)

The Trojan deletes the following file(s):

%System%\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET32.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (0 bytes)
%System%\SET7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%WinDir%\inf\oem10.PNF (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\SET6.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\wbem\SET4.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%System%\SET8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%WinDir%\SECD0.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\SET5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%WinDir%\inf\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%WinDir%\Temp\UPD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%System%\wbem\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrm\0409\SET1D.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%WinDir%\inf\SET19.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\winrm\0409\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%WinDir%\Help\SETC5.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)

The process PSCustomSetupUtil.exe:2292 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\UPTWZ258\Microsoft.PowerShell.Security.dll (2392 bytes)

The process PSCustomSetupUtil.exe:3320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\1JNQTWZ2\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)

The process PSCustomSetupUtil.exe:3292 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\SBEHKNRU\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)

The process PSCustomSetupUtil.exe:3348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\WGJNQTWZ\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)

The process PSCustomSetupUtil.exe:2204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\SCFILPSV\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)

The process PSCustomSetupUtil.exe:2484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\Q9CFIMPS\System.Management.Automation.resources.dll (9320 bytes)

The process PSCustomSetupUtil.exe:2548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\ATWZ259C\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\L48BEHKO\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)

The process PSCustomSetupUtil.exe:2380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\R9DGJMPS\Microsoft.WSMan.Runtime.dll (7 bytes)

The process PSCustomSetupUtil.exe:2664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\J258BEHL\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)

The process PSCustomSetupUtil.exe:2640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\GZ258BFI\Microsoft.PowerShell.Security.resources.dll (9 bytes)

The process PSCustomSetupUtil.exe:2744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\FY258BEH\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)

The process PSCustomSetupUtil.exe:2508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\J258BEHK\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\M69CFJMP\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)

The process PSCustomSetupUtil.exe:2228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\N7ADHKNQ\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)

The process PSCustomSetupUtil.exe:2420 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\XGJMPSVY\Microsoft.WSMan.Management.dll (9608 bytes)

The process PSCustomSetupUtil.exe:2704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\VEHLORUX\Microsoft.WSMan.Management.resources.dll (13 bytes)

The process PSCustomSetupUtil.exe:2608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\HZ258BEI\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\5ORVY147\Microsoft.PowerShell.Editor.dll (32824 bytes)

The process PSCustomSetupUtil.exe:3228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\L47ADHKN\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)

The process PSCustomSetupUtil.exe:3372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\O7ADHKNQ\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\5PSVZ258\System.Management.Automation.dll (81046 bytes)

The process PSCustomSetupUtil.exe:2356 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\P7BEHKNQ\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)

The process PSSetupNativeUtils.exe:3644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)

The process mscorsvw.exe:2964 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index62.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp (0 bytes)

The process mscorsvw.exe:2900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index61.dat (0 bytes)

The process mscorsvw.exe:1340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)

The process mscorsvw.exe:2636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index60.dat (0 bytes)

The process mscorsvw.exe:276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp (0 bytes)

The process mscorsvw.exe:1964 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp (0 bytes)

The process mscorsvw.exe:4004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index59.dat (0 bytes)

The process mscorsvw.exe:2984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)

The process mscorsvw.exe:2368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5e.dat (0 bytes)

The process mscorsvw.exe:3884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)

The process mscorsvw.exe:3240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index63.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp (0 bytes)

The process mscorsvw.exe:2144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5d.dat (0 bytes)

The process mscorsvw.exe:2516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5f.dat (0 bytes)

Registry activity

The process mofcomp.exe:2104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 40 6C 95 A7 1A 2A 54 42 21 D2 40 FD EC F8 89"

The process WindowsXP-KB968930-x86-ENG.exe:1508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 23 00 64 7F EB 6A 4C 9D 04 DF 89 8D 0B 2A 0C"

The process ngen.exe:2968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 F0 C5 E3 22 05 C5 BB B5 7F 0E C3 D5 11 BA 91"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:3060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 6D 22 6D E6 13 06 B2 51 1E 93 DF 2C 29 F1 90"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

The process ngen.exe:3000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 80 62 7B A1 30 CA C0 1C 1A 9F D3 0C 8F F9 A4"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 73 1B FF DD B5 F4 C5 32 58 87 B8 07 C1 8B 44"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:3164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 7D 0E B5 F6 4A 0C F8 E6 FA 79 76 41 B9 58 2B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:3068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 93 53 F1 9C 3D 72 02 AB 00 4D 0F E5 63 F5 A8"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:3044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 E7 7D 34 4C 49 8D 44 4D 20 36 90 17 D2 F4 0F"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB EF A5 CD 62 7E 3E 7B 65 47 BC 28 94 00 2A 29"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 2E EF 9D DB CC A4 5B 50 94 2D AD 9A DA FA DB"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 BA 87 17 3F F7 D7 EF 91 CB 02 0C 02 50 B3 FC"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 0C E0 68 0F 25 64 5E E1 E9 8A 8E 29 D2 04 8C"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 5E 8B 23 07 C0 1C F7 7C 4B 14 9E 04 2E 86 86"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:3020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 95 19 05 3B 7E 9F 56 8C 13 F8 EA 40 5A B4 C1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

The process ngen.exe:3080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 55 B5 89 31 9B 63 5F 41 49 10 66 71 68 38 F6"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 38 D7 60 5B E9 69 0A 18 9F 26 20 90 8E 36 DB"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 B8 A7 96 8C EB 8E 05 12 C7 E6 5B 9C 9E 3E 79"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 3B 96 D1 2F C1 B0 6B 62 8D 25 E1 3B 63 00 4B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 BC F3 0F BF DF 47 FA 79 46 B9 EC 58 4B 96 C8"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 2F D1 75 77 48 C5 D6 61 BF 19 84 A4 6A EB 7D"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 6C A0 7E AD 93 86 23 8D D4 26 2C AA 5B 46 F5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 2E E8 D1 EF 20 63 69 9A 56 37 3C DB E2 2D AA"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 11 31 BB 4D 8B 26 C2 E0 71 5A AD 64 B0 07 7F"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:3092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 23 FC 6A 31 8A 1E B4 4D 17 59 F7 61 1F DE 3D"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process update.exe:1304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"

[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"

[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"

[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\518:11d008\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"

[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"

[HKCR\.ps1xml]
"PerceivedType" = "Text"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"

[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"

[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"

[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\518:11d008\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\518:11d008\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"

[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\518:11d008\iis]
"PathInetsrv" = "%System%\inetsrv"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"

[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "7/4/2015"
"ReleaseType" = "Software Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 1D FB 62 9A E0 85 75 E0 53 B3 E4 A5 99 98 FC"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"

[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"

[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"

[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\518:11d008\iis]
"UpgradeType" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\.psc1]
"Content Type" = "application/PowerShell"

[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"

[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"

[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20150704"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"

[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\518:11d008\iis]
"PathIISHelp" = "%WinDir%\Help\iishelp"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"

[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\518:11d008\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\518:11d008\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"

[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\518:11d008\iis]
"PathIISSamples" = "C:\Inetpub\iissamples"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"

[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"

[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\518:11d008\iis]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\518:11d008]

The process PSCustomSetupUtil.exe:2292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 80 FD AA FC BB 04 77 AE 84 06 1B AE B0 4D 41"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "24 AD 56 96 9F B6 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"

The process PSCustomSetupUtil.exe:3320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 ED 48 7E A9 0E 71 91 BF 6E 26 D3 1B 52 4B A6"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "F4 73 2E 9B 9F B6 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"

The process PSCustomSetupUtil.exe:3292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 A2 B0 0F 59 EF BA F8 25 0D BA 29 E0 6D 26 AA"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "62 75 0F 9B 9F B6 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"

The process PSCustomSetupUtil.exe:3348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 75 A5 8E F1 3E 56 54 DB BD 1D 72 05 EC 15 E3"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "2C 10 4B 9B 9F B6 D0 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"

The process PSCustomSetupUtil.exe:2204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB B9 08 CF 49 46 6C 3D D7 70 70 94 1C 23 3E 2F"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "CE 8B D3 95 9F B6 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"

The process PSCustomSetupUtil.exe:3212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 11 6A CF 99 FE 13 DB 96 B8 52 46 56 4D 68 AC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 F9 FC E1 2E 59 E1 6A 1C D1 C4 E5 E1 0F 99 DB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "9E CB 17 97 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"

The process PSCustomSetupUtil.exe:2548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E BC A8 A7 85 91 E0 9B 05 03 D0 B2 20 9A 5E 67"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "38 79 66 97 9F B6 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"

The process PSCustomSetupUtil.exe:2268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 82 7C 83 91 BF 72 92 DC CA F0 48 0A 9A AF C4"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "D0 C2 2B 96 9F B6 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"

The process PSCustomSetupUtil.exe:2380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE E1 AC CD FD B0 7A 5E 8C 7C 9D 32 17 3C 53 E6"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "64 F8 A2 96 9F B6 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"

The process PSCustomSetupUtil.exe:2664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 60 4C E2 6F 36 12 F7 2D 30 61 F9 B8 02 5A 10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "CC AE DD 97 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"

The process PSCustomSetupUtil.exe:2640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 3E 44 72 2B DD 63 56 A5 B1 E8 12 9F AD D4 92"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "2C 89 B7 97 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"

The process PSCustomSetupUtil.exe:2744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 61 C9 8D 31 1A BF 27 0E 54 F5 AD 4A 40 3D 8D"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "C0 BE 2E 98 9F B6 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"

The process PSCustomSetupUtil.exe:2508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 88 41 74 20 02 14 C0 A2 09 B3 4B BA 3A CE F7"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "3E F1 3D 97 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"

The process PSCustomSetupUtil.exe:3188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 58 B1 CD E9 F1 F1 12 BD 3C E9 FA DB 16 62 E9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 FD 65 31 42 BD C0 C0 F2 D3 A1 5E AE 55 01 47"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "A4 43 EF 96 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"

The process PSCustomSetupUtil.exe:2228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 79 F6 FB 24 54 C7 F8 39 0F 08 DE 69 63 B7 6F"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "22 76 FE 95 9F B6 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"

The process PSCustomSetupUtil.exe:2420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 72 9E F1 A8 A6 43 3F 52 69 C2 39 D0 BC B6 EE"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "04 1E C9 96 9F B6 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"

The process PSCustomSetupUtil.exe:2704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A A7 6E 60 29 B0 D4 F2 EA ED 2D AC CD AD 57 94"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "C6 36 06 98 9F B6 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"

The process PSCustomSetupUtil.exe:2608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D C5 FA C2 4C 94 1E 36 B9 05 75 39 F6 34 9A 71"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "32 01 8F 97 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"

The process PSCustomSetupUtil.exe:3268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 98 FF B5 51 39 A0 54 E5 A4 18 B5 45 C2 F5 63"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "76 14 EE 9A 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"

The process PSCustomSetupUtil.exe:3172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 B6 B3 4D 76 4A 24 E8 BD 8B BD 41 37 A7 F6 09"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:3228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 32 3E FF C7 83 74 25 E9 6E B4 DA 19 33 1E 40"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "E4 15 CF 9A 9F B6 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"

The process PSCustomSetupUtil.exe:3372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 9C BF 89 BE 79 17 CF 84 C2 E4 13 95 93 0A 64"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "BE 0E 6A 9B 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"

The process PSCustomSetupUtil.exe:2144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 7F DF 24 52 55 31 F2 E5 EA 70 BE E1 6F F3 AB"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "7A A1 A8 95 9F B6 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"

The process PSCustomSetupUtil.exe:2356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D B3 FA E0 69 FC 7F C0 4E 9D F2 2D EC 68 20 31"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "C4 D2 7C 96 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"

The process PSSetupNativeUtils.exe:3644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 0F 53 23 43 01 6B 57 9B 3E 8B 5D 4B 2B 75 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process mscorsvw.exe:3948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 88 B5 C4 FB D9 E6 16 0C 99 E5 F2 45 94 BF 39"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 28 9F 87 C7 9A FD 86 FE 66 C1 19 36 4A 5B C4"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ILDependencies" = "44 18 F2 39 EC CB 26 0B 6F 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "100"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigString" = "ZAP--0000-0000"
"MVID" = "9D 8E 8F 7B 7A E9 50 D8 65 44 54 05 97 83 7B 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
"Status" = "0"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2644b2e9\635b32a7]
"66" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]

The process mscorsvw.exe:2900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"SIG" = "65 39 A0 50 E9 4F 14 4B 85 A8 07 D9 00 B9 C9 79"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"LastModTime" = "64 F8 A2 96 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"MVID" = "B1 10 6C EC A9 F5 C8 9E A5 7E 9E CD 46 C7 CF 57"
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 C0 42 61 52 7B 4A 04 46 4D 6E 84 85 45 BF 6B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "99"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"LastModTime" = "04 1E C9 96 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\34cea914\1285f653]
"67" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"SIG" = "EC D0 CD 16 68 09 9B 47 85 11 78 36 0F BB 3D 11"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]

The process mscorsvw.exe:1340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 94 24 4C 2E 73 DA 2F DF 8A BE F8 E6 CC 2C 29"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "22 76 FE 95 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]

The process mscorsvw.exe:2636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"LastModTime" = "24 AD 56 96 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"MVID" = "AB 6E A2 EF 90 77 0C 78 07 DB 52 DB 59 B5 A1 32"
"Status" = "0"
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2995e574\9\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 3F C3 0C A3 22 8E 1E AB 43 7D CD 0C 15 F2 93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\19aba884\767c2dc2]
"68" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "98"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"SIG" = "07 95 68 2E 6D 23 41 45 81 DB 7F 93 51 3C 97 66"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]

The process mscorsvw.exe:2452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 CE 8C 8F 27 F3 86 B2 D0 3C 5D 7B 99 D8 7A 21"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C D4 30 F2 D6 BF E8 B1 11 19 C6 0A 42 60 18 DC"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "D0 C2 2B 96 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 42 FD DE 12 8D 41 2E 11 F1 51 61 9E 32 C2 7A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]

The process mscorsvw.exe:3148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE F2 D5 A5 48 14 4D 96 DB BD 17 26 56 17 6A E9"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 56 15 51 33 B7 F6 86 86 FE E7 95 89 58 08 2F"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:4060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 76 36 52 0E AE 42 BC 85 1E 70 2D BF 9F E9 88"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:1964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 47 86 F1 BA E5 21 5A 76 2B BC A8 AC 6C 0D 9D"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "CE 8B D3 95 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]

The process mscorsvw.exe:3796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 B4 02 9C C8 66 5D C1 B5 20 39 6A 75 D6 B0 92"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:4004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "C4 D2 7C 96 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 20 C0 4C BC A6 E6 BD 5F B3 9A 03 8A 1F A7 1A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index59]

The process mscorsvw.exe:2480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 72 7B 91 76 BA B9 0D 21 68 79 AF 80 72 7B 10"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EC 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 E6 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F2 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F0 00 00 00 53 00 79"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 30 86 A6 AE 32 E4 6F 72 2A 74 9C AC E2 DD 7C"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
"ImageList" = "01 00 00 00 00 02 00 00 00 FC 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority"

The process mscorsvw.exe:524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 D5 33 39 E0 CF A2 65 08 68 FF 7F 1E 95 3D 10"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"SIG" = "B7 6F 43 3B 5E 11 DE 4E B3 DF 75 E5 9F 64 67 8F"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"LastModTime" = "62 75 0F 9B 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 89 38 14 0E 57 17 7D DB F7 5D AD B5 F7 D3 28"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"MVID" = "BE 89 7C E6 CB 7D 25 17 02 86 EA BC EA E9 F4 1E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\182177d0\3319830e]
"5a" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "96"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]

The process mscorsvw.exe:1816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 30 24 5E CE 8F AB 04 1D FC C4 4F 84 C9 DA A5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The process mscorsvw.exe:3884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "A4 43 EF 96 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "7A A1 A8 95 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 00 9F 48 B7 03 BA 26 99 92 7E 94 F6 EB 3C D8"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]

The process mscorsvw.exe:3240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigMask" = "4361"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"MVID" = "E2 17 82 39 6B BC 18 53 A8 67 A6 33 0D FD 66 7B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3b249b34\afa163\1f\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index65]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"ILDependencies" = "57 8D AB 19 D0 02 1A 29 07 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D CA 53 B9 72 2F AF F1 24 62 51 A8 EA 52 E2 FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "101"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\130e9a23\3c38ef63]
"65" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\130e9a23\3c38ef63\65]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]

The process mscorsvw.exe:2312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 1F 7A 28 E1 B0 7D 03 C1 15 FC 2F 67 25 73 20"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 B9 EE AA 91 DA 20 E3 FD 7B 2A C7 9B 18 A9 CB"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\51be0150\645507bd\5d\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigMask" = "4361"
"MVID" = "72 A5 E7 88 C4 07 6B 67 EC 68 97 DA DB 9C 00 B6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 46 DF 3E FE 16 09 53 6A D3 4D F3 AA 6D 75 17"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"LastModTime" = "76 14 EE 9A 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"SIG" = "EC 74 C4 48 ED 80 64 4D BD A4 D7 78 32 8C 96 D8"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "95"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]

The process mscorsvw.exe:2516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"MVID" = "EA F7 7E C3 AE 2E A1 73 83 BF A6 FB A9 3D 37 37"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 B7 61 75 60 1F 20 F3 4C AE 12 07 99 61 19 32"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "97"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\1e5223d8\47f69b97]
"61" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"SIG" = "7B 5D F0 E6 43 C6 6F 48 85 FF C5 61 E9 E4 D2 1B"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"LastModTime" = "E4 15 CF 9A 9F B6 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]

The process wsmanhttpconfig.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 40 9B 2A F4 D5 C2 41 C0 EF C8 E7 8B 72 18 77"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "25EF67F5-CB9C-47C1-8E0E-73B880318FAF"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""

The process wsmanhttpconfig.exe:2084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 EB 8F A8 C1 E9 B5 AD E6 90 83 FB F6 38 59 0F"

The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 78 E0 F1 06 D0 33 6A 98 9E CA 9C A9 97 6D 78"

Dropped PE files

MD5 File path
9859a26d5e72bbb0685af813b409d99d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
fc9a05096522bb6d7ceda62ea1707420 c:\WINDOWS\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe
35efd8cd6549a4339cb2a28c8cfd6598 c:\WINDOWS\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe
a39df582ca051afc8811fbd00db12f10 c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe
9a055da2f2819f155c33d47cd67a7c00 c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll
75c183e262bd4400eb0f20349f6ef383 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll
2f7fe3a781ba8c0a67c775f20e3e9f70 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll
4e2482e69baaf3a5b13db8101c063ebf c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll
08e87e8abf7b41b28663dce817ce0ab6 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll
b87e087fc013225e2aa1cb60c080647d c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll
f3ac3f844f90380aab2b4c0836c4288f c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll
1ce73fb3f88c716cfc3fd550547d2b35 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll
dfeb401cc051e5da721c584ff6a90f88 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
36ff641f37918f2cca98e7f407ac4d75 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
3991b7fa452a9c9c291c06365a236792 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll
37bed865557084dd9988350ab1675e0b c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Editor.resources.dll
208fa9d0ebe2ceb9616042772e96598e c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Editor.dll
108500a98b9a2f66823e7615398fc87b c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.resources.dll
d4eefccdc3de6ced901535fa4153c491 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll
5a69fb5d686f863e0e13268d671ef16d c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.resources.dll
3eab4dbdc290edc4d53fe77f1fdb9e59 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.dll
c7a0d1321a67a2afd330c5fbe79befd1 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll
53a9d748ef09920a0d06da2583c298ad c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
6372ea7d2aced7185183cf3fcdd3577b c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll
1a4e900c2fe3cd31d10107670d184fe6 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll
f7da27672d2e4c21a1f996ee31de0dbf c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
2286b57ecc2d32d24049c51989084268 c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en_31bf3856ad364e35\System.Management.Automation.resources.dll
4d8ab4fad244f7985d8c59d456e026d7 c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
930cdc3163f4d4a6bd52f96896e9fa44 c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Backgroun#\fd3edcdfa9ce60abac35208146184495\Microsoft.BackgroundIntelligentTransfer.Management.ni.dll
e27a37cfbcff4c9941e73c9a3e762d0c c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\13fc3daef585098f11911f8f72ac1cea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
8afa150131c5cba4b312493db94d30fb c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\72a5e788c4076b67ec6897dadb9c00b6\Microsoft.PowerShell.Editor.ni.dll
8984e670f9760c504c5fca8370ad99d3 c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\93926797486d4f7a9b69c5875ff3fc30\Microsoft.PowerShell.Commands.Utility.ni.dll
41980649706941d2ff841871435068b5 c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\be897ce6cb7d25170286eabceae9f41e\Microsoft.PowerShell.GPowerShell.ni.dll
fe8b145b025e02fb4e23381a2e189d0a c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\dc19f50c5e84e7223433cc709e7eb43f\Microsoft.PowerShell.ConsoleHost.ni.dll
1915d832be5b46ff2a888a9a6689e281 c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\eaf77ec3ae2ea17383bfa6fba93d3737\Microsoft.PowerShell.GraphicalHost.ni.dll
6756eea89ecbaa301b79e4d01f381cd1 c:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f007ee1bf548ba761ba616f4c35b158e\Microsoft.PowerShell.Commands.Management.ni.dll
85d7ab466d0577c49fc9879107ec7ef5 c:\WINDOWS\system32\WindowsPowerShell\v1.0\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll
173d3dd1425a8e33fa1d4ed71067a3a2 c:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\microsoft.backgroundintelligenttransfer.management.interop.dll
df4217ddb34a0b73dc7aac7829371c0c c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
fe7bc06af17d7cd8fb8e6d72d72453b8 c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui
36b6f71b6d7d280302b348145db05a9f c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe
cb3a534127f37d0fa1f556dbb76575d3 c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.resources.dll
95b7f12a557dedac5e4a1e9afa5e73ab c:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll
a94243b797377ba03b63fc716c13bcf5 c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
7943a80f1a6fd37969aacd411b511f91 c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll
2c9c9ae86eb2b4e78c8e09deb7509a63 c:\WINDOWS\system32\WsmAuto.dll
67146d3606be1111a39f0fd61f47e9b6 c:\WINDOWS\system32\WsmRes.dll
18f347402da544a780949b8fdf83351b c:\WINDOWS\system32\WsmSvc.dll
296e6992278fea7140d88b603e6c2a8a c:\WINDOWS\system32\WsmWmiPl.dll
8c386819bf5b39d7a4b274d0b55f87a5 c:\WINDOWS\system32\pwrshplugin.dll
84e025b1259c66315f4d45a6caecacc9 c:\WINDOWS\system32\wevtfwd.dll
cd17705af8e53a82facb545a213ab09c c:\WINDOWS\system32\winrmprov.dll
afdf7654880ce23005014895b129d948 c:\WINDOWS\system32\winrs.exe
3e9b11880ae4a8ff399ce0573c82655b c:\WINDOWS\system32\winrscmd.dll
62021e3e6ba13d72cf5cc1047cfac991 c:\WINDOWS\system32\winrshost.exe
b84092e52861a026fc83bcede4a7abfa c:\WINDOWS\system32\winrsmgr.dll
35bc7c49676e5ab617ef94dc9854a6f1 c:\WINDOWS\system32\winrssrv.dll
972916faac89c4aa978952b30f478e81 c:\WINDOWS\system32\wsmanhttpconfig.exe
23ce21efc2ae95700f2b1f9582fe3867 c:\WINDOWS\system32\wsmplpxy.dll
faa2fcc6853e5123e05dccc5919657e2 c:\WINDOWS\system32\wsmprovhost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: AMD Inc.
Product Name: AMD drivers/software
Product Version:
Legal Copyright: AMD Inc.
Legal Trademarks: AMD Inc.
Original Filename:
Internal Name:
File Version: x.x.x
File Description: AMD Software Suite
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 40342 40448 4.60951 117c26d819e8e049a5e56cc2192a8196
.rdata 45056 57398 57856 5.28662 b759b1cafb90bf439902d5bc122c4983
.data 106496 198316 190464 5.25284 7cd841c30db794a39e737447b26ecc9c
.rsrc 307200 87020 87040 4.60639 cb36452a138e7fd3109afee61a99561c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://microsoft.com/ 134.170.185.46
hxxp://e10088.dspb.akamaiedge.net/
hxxp://e10088.dspb.akamaiedge.net/uk-ua/
hxxp://a767.dscms.akamai.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe
hxxp://www.microsoft.com/ 2.23.159.132
hxxp://www.microsoft.com/uk-ua/ 2.23.159.132
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe 194.146.191.107


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: microsoft.com
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.microsoft.com/
Server: Microsoft-IIS/8.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Sat, 04 Jul 2015 21:22:20 GMT
Connection: close
Content-Length: 148
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://VVV.microsoft.com/">here</a></body>..



GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.microsoft.com
Cache-Control: no-cache
Cookie: MS-CV=eWKQEqZ aEybn1RN.1


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT
Accept-Ranges: bytes
ETag: "6d3979883b49ca1:0"
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Content-Length: 6156064
Date: Sat, 04 Jul 2015 21:22:23 GMT
Connection: close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#pA.B...B..
[email protected]............
..............PE..L....jkG.............................c... ..........
. ................................^.......... ........................
..............x.............]. ........... "..........................
.....&..@............ ...............................text........ ....
.................. ..`[email protected]...
x........H].................@..@......................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................l...V...:...".............
..................|...................................(...r...d...T...
....*...........P...j...................<...................\......
.................................>...L...^...n.....................
......................2...L.......h...p...............................
........(...>...L...`...v...................................N...>
;...,...................d.............................................
..............z...,...<...J...\...|.......N...Z...d...n...@....
<<< skipped >>>


GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.microsoft.com


HTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: hXXp://VVV.microsoft.com/uk-ua/
Date: Sat, 04 Jul 2015 21:22:21 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
....


GET /uk-ua/ HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.microsoft.com


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Server: Microsoft-IIS/8.0
CorrelationVector: eWKQEqZ aEybn1RN.1.1
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: true
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Content-Length: 235810
Date: Sat, 04 Jul 2015 21:22:21 GMT
Connection: keep-alive
Set-Cookie: MS-CV=eWKQEqZ aEybn1RN.1; domain=.microsoft.com; expires=Sun, 05-Jul-2015 21:22:21 GMT; path=/
X-CCC: SE
X-CID: 2
...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsof
t.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lan
g="uk" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta ht
tp-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="ut
f-8" /><meta name="viewport" content="width=device-width, initia
l-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.c
om/favicon.ico?v2" /><script type="text/javascript" src="hXXp://
ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js"> ..           /
/ Third party scripts and code linked to or referenced from this websi
te are licensed to you by the parties that own such code, not by Micro
soft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibra
ry/CDN.ashx...       </script><script type="text/javascript" 
language="javascript">/*<![CDATA[*/if($(document).bind("mobilein
it",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.ma
tch(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("st
yle");msViewportStyle.appendChild(document.createTextNode("@-ms-viewpo
rt{width:auto!important}")),document.getElementsByTagName("head")[0].a
ppendChild(msViewportStyle)}/*]]>*/</script><script type="
text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3
.2/jquery.mobile-1.3.2.min.js"></script><script type="text
/javascript" src="hXXp://i.s-microsoft.com/library/svy/broker.js">&
lt;/script><title>Microsoft..... ................ .......
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

svchost.exe_1416:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
wininet.dll
user32.dll
ntdll.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
winmm.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
?"?&?*?.?
11
3,313[3`3
6 7%7s7
56O6\6n6
4.434[4`4
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXc
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
c:\%original file name%.exe path<<c:\%original file name%.exe>>path

svchost.exe_1416_rwx_00090000_000BC000:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
wininet.dll
user32.dll
ntdll.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
winmm.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
?"?&?*?.?
11
3,313[3`3
6 7%7s7
56O6\6n6
4.434[4`4
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXc
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
c:\%original file name%.exe path<<c:\%original file name%.exe>>path

svchost.exe_1416_rwx_01000000_00006000:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_240:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
wininet.dll
user32.dll
ntdll.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
winmm.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
?"?&?*?.?
11
3,313[3`3
6 7%7s7
56O6\6n6
4.434[4`4
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX2
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation

svchost.exe_240_rwx_00080000_000BC000:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
wininet.dll
user32.dll
ntdll.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
winmm.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
?"?&?*?.?
11
3,313[3`3
6 7%7s7
56O6\6n6
4.434[4`4
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX2
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation

svchost.exe_240_rwx_01000000_00006000:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mofcomp.exe:2104
    WindowsXP-KB968930-x86-ENG.exe:1508
    ngen.exe:2968
    ngen.exe:3060
    ngen.exe:3000
    ngen.exe:3148
    ngen.exe:3164
    ngen.exe:3068
    ngen.exe:3044
    ngen.exe:3476
    ngen.exe:3108
    ngen.exe:3100
    ngen.exe:3516
    ngen.exe:3124
    ngen.exe:3020
    ngen.exe:3080
    ngen.exe:3484
    ngen.exe:3524
    ngen.exe:3156
    ngen.exe:3052
    ngen.exe:3508
    ngen.exe:3012
    ngen.exe:3116
    ngen.exe:3468
    ngen.exe:3092
    update.exe:1304
    PSCustomSetupUtil.exe:2292
    PSCustomSetupUtil.exe:3320
    PSCustomSetupUtil.exe:3292
    PSCustomSetupUtil.exe:3348
    PSCustomSetupUtil.exe:2204
    PSCustomSetupUtil.exe:3212
    PSCustomSetupUtil.exe:2484
    PSCustomSetupUtil.exe:2548
    PSCustomSetupUtil.exe:2268
    PSCustomSetupUtil.exe:2380
    PSCustomSetupUtil.exe:2664
    PSCustomSetupUtil.exe:2640
    PSCustomSetupUtil.exe:2744
    PSCustomSetupUtil.exe:2508
    PSCustomSetupUtil.exe:3188
    PSCustomSetupUtil.exe:2444
    PSCustomSetupUtil.exe:2228
    PSCustomSetupUtil.exe:2420
    PSCustomSetupUtil.exe:2704
    PSCustomSetupUtil.exe:2608
    PSCustomSetupUtil.exe:3268
    PSCustomSetupUtil.exe:3172
    PSCustomSetupUtil.exe:3228
    PSCustomSetupUtil.exe:3372
    PSCustomSetupUtil.exe:2144
    PSCustomSetupUtil.exe:2356
    PSSetupNativeUtils.exe:3644
    mscorsvw.exe:3948
    mscorsvw.exe:2964
    mscorsvw.exe:2900
    mscorsvw.exe:1340
    mscorsvw.exe:2636
    mscorsvw.exe:2452
    mscorsvw.exe:3000
    mscorsvw.exe:276
    mscorsvw.exe:3148
    mscorsvw.exe:2800
    mscorsvw.exe:4060
    mscorsvw.exe:1964
    mscorsvw.exe:3796
    mscorsvw.exe:4004
    mscorsvw.exe:2480
    mscorsvw.exe:2984
    mscorsvw.exe:524
    mscorsvw.exe:2368
    mscorsvw.exe:1816
    mscorsvw.exe:3884
    mscorsvw.exe:3240
    mscorsvw.exe:2312
    mscorsvw.exe:2084
    mscorsvw.exe:2144
    mscorsvw.exe:2516
    wsmanhttpconfig.exe:1612
    wsmanhttpconfig.exe:2084
    %original file name%.exe:464

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%\wbem\Logs\mofcomp.log (1814 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
    C:\6209a3ef056193fd0c3a8c\winrssrv.dll (12 bytes)
    C:\6209a3ef056193fd0c3a8c\help.format.ps1xml (3947 bytes)
    C:\6209a3ef056193fd0c3a8c\winrm.cmd (35 bytes)
    C:\6209a3ef056193fd0c3a8c\about_logical_operators.help.txt (2 bytes)
    C:\6209a3ef056193fd0c3a8c\wsmsvc.dll (15909 bytes)
    C:\6209a3ef056193fd0c3a8c\about_ws-management_cmdlets.help.txt (405 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.utility.resources.dll (508 bytes)
    C:\6209a3ef056193fd0c3a8c\about_comparison_operators.help.txt (11 bytes)
    C:\6209a3ef056193fd0c3a8c\about_operators.help.txt (770 bytes)
    C:\6209a3ef056193fd0c3a8c\importallmodules.psd1 (438 bytes)
    C:\6209a3ef056193fd0c3a8c\about_regular_expressions.help.txt (5 bytes)
    C:\6209a3ef056193fd0c3a8c\about_windows_powershell_ise.help.txt (6 bytes)
    C:\6209a3ef056193fd0c3a8c\wsmauto.mof (4 bytes)
    C:\6209a3ef056193fd0c3a8c\types.ps1xml (2510 bytes)
    C:\6209a3ef056193fd0c3a8c\about_types.ps1xml.help.txt (481 bytes)
    C:\6209a3ef056193fd0c3a8c\getevent.types.ps1xml (15 bytes)
    C:\6209a3ef056193fd0c3a8c\about_preference_variables.help.txt (37 bytes)
    C:\6209a3ef056193fd0c3a8c\about_pssnapins.help.txt (6 bytes)
    C:\6209a3ef056193fd0c3a8c\spuninst.exe (3787 bytes)
    C:\6209a3ef056193fd0c3a8c\about_escape_characters.help.txt (2 bytes)
    C:\6209a3ef056193fd0c3a8c\about_bits_cmdlets.help.txt (7 bytes)
    C:\6209a3ef056193fd0c3a8c\about_prompts.help.txt (7 bytes)
    C:\6209a3ef056193fd0c3a8c\update\eula.txt (586 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.management.resources.dll (508 bytes)
    C:\6209a3ef056193fd0c3a8c\powershellcore.format.ps1xml (1492 bytes)
    C:\6209a3ef056193fd0c3a8c\about_format.ps1xml.help.txt (17 bytes)
    C:\6209a3ef056193fd0c3a8c\pscustomsetuputil.exe (316 bytes)
    C:\6209a3ef056193fd0c3a8c\winrmprov.dll (591 bytes)
    C:\6209a3ef056193fd0c3a8c\about_try_catch_finally.help.txt (7 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.diagnostics.dll (998 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.consolehost.resources.dll (778 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.security.dll-help.xml (1797 bytes)
    C:\6209a3ef056193fd0c3a8c\about_variables.help.txt (6 bytes)
    C:\6209a3ef056193fd0c3a8c\about_continue.help.txt (1 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.security.resources.dll (9 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.wsman.management.resources.dll (13 bytes)
    C:\6209a3ef056193fd0c3a8c\windowspowershellhelp.chm (26041 bytes)
    C:\6209a3ef056193fd0c3a8c\about_foreach.help.txt (10 bytes)
    C:\6209a3ef056193fd0c3a8c\wtrinstaller.ico (4803 bytes)
    C:\6209a3ef056193fd0c3a8c\about_trap.help.txt (10 bytes)
    C:\6209a3ef056193fd0c3a8c\about_for.help.txt (146 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
    C:\6209a3ef056193fd0c3a8c\about_profiles.help.txt (457 bytes)
    C:\6209a3ef056193fd0c3a8c\winrs.exe (1154 bytes)
    C:\6209a3ef056193fd0c3a8c\about_pipelines.help.txt (411 bytes)
    C:\6209a3ef056193fd0c3a8c\about_signing.help.txt (12 bytes)
    C:\6209a3ef056193fd0c3a8c\powershell_ise.exe (2526 bytes)
    C:\6209a3ef056193fd0c3a8c\wevtfwd.dll (3351 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.editor.resources.dll (562 bytes)
    C:\6209a3ef056193fd0c3a8c\about_history.help.txt (3 bytes)
    C:\6209a3ef056193fd0c3a8c\update\updspapi.dll (5940 bytes)
    C:\6209a3ef056193fd0c3a8c\certificate.format.ps1xml (155 bytes)
    C:\6209a3ef056193fd0c3a8c\bitstransfer.psd1 (950 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
    C:\6209a3ef056193fd0c3a8c\about_properties.help.txt (7 bytes)
    C:\6209a3ef056193fd0c3a8c\about_remote_troubleshooting.help.txt (146 bytes)
    C:\6209a3ef056193fd0c3a8c\about_command_syntax.help.txt (5 bytes)
    C:\6209a3ef056193fd0c3a8c\update\update.exe (10748 bytes)
    C:\6209a3ef056193fd0c3a8c\wsmpty.xsl (1 bytes)
    C:\6209a3ef056193fd0c3a8c\about_special_characters.help.txt (3 bytes)
    C:\6209a3ef056193fd0c3a8c\powershell.exe (7339 bytes)
    C:\6209a3ef056193fd0c3a8c\update\kb968930xp.cat (512 bytes)
    C:\6209a3ef056193fd0c3a8c\update\update.ver (14 bytes)
    C:\6209a3ef056193fd0c3a8c\powershelltrace.format.ps1xml (344 bytes)
    C:\6209a3ef056193fd0c3a8c\wsman.format.ps1xml (837 bytes)
    C:\6209a3ef056193fd0c3a8c\about_jobs.help.txt (12 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.utility.dll (9684 bytes)
    C:\6209a3ef056193fd0c3a8c\about_comment_based_help.help.txt (595 bytes)
    C:\6209a3ef056193fd0c3a8c\about_switch.help.txt (489 bytes)
    C:\6209a3ef056193fd0c3a8c\about_remote_jobs.help.txt (13 bytes)
    C:\6209a3ef056193fd0c3a8c\about_windows_powershell_2.0.help.txt (453 bytes)
    C:\6209a3ef056193fd0c3a8c\profile.ps1 (772 bytes)
    C:\6209a3ef056193fd0c3a8c\spmsg.dll (495 bytes)
    C:\6209a3ef056193fd0c3a8c\about_return.help.txt (3 bytes)
    C:\6209a3ef056193fd0c3a8c\wsmauto.dll (1842 bytes)
    C:\6209a3ef056193fd0c3a8c\pwrshmsg.dll (4 bytes)
    C:\6209a3ef056193fd0c3a8c\about_data_sections.help.txt (5 bytes)
    C:\6209a3ef056193fd0c3a8c\about_session_configurations.help.txt (276 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
    C:\6209a3ef056193fd0c3a8c\about_eventlogs.help.txt (5 bytes)
    C:\6209a3ef056193fd0c3a8c\about_functions_cmdletbindingattribute.help.txt (3 bytes)
    C:\6209a3ef056193fd0c3a8c\about_modules.help.txt (13 bytes)
    C:\6209a3ef056193fd0c3a8c\about_wmi_cmdlets.help.txt (8 bytes)
    C:\6209a3ef056193fd0c3a8c\pssetupnativeutils.exe (9 bytes)
    C:\6209a3ef056193fd0c3a8c\about_requires.help.txt (2 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
    C:\6209a3ef056193fd0c3a8c\about_parsing.help.txt (2 bytes)
    C:\6209a3ef056193fd0c3a8c\spupdsvc.exe (287 bytes)
    C:\6209a3ef056193fd0c3a8c\about_assignment_operators.help.txt (379 bytes)
    C:\6209a3ef056193fd0c3a8c\about_commonparameters.help.txt (12 bytes)
    C:\6209a3ef056193fd0c3a8c\about_path_syntax.help.txt (5 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
    C:\6209a3ef056193fd0c3a8c\about_scopes.help.txt (76 bytes)
    C:\6209a3ef056193fd0c3a8c\system.management.automation.resources.dll (3153 bytes)
    C:\6209a3ef056193fd0c3a8c\about_core_commands.help.txt (221 bytes)
    C:\6209a3ef056193fd0c3a8c\wsmres.dll (6164 bytes)
    C:\6209a3ef056193fd0c3a8c\eventforwarding.adm (2 bytes)
    C:\6209a3ef056193fd0c3a8c\registry.format.ps1xml (20 bytes)
    C:\6209a3ef056193fd0c3a8c\about_debuggers.help.txt (21 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.graphicalhost.dll (4408 bytes)
    C:\6209a3ef056193fd0c3a8c\about_do.help.txt (2 bytes)
    C:\6209a3ef056193fd0c3a8c\update\spcustom.dll (23 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.gpowershell.dll (9738 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
    C:\6209a3ef056193fd0c3a8c\about_remote.help.txt (7 bytes)
    C:\6209a3ef056193fd0c3a8c\about_command_precedence.help.txt (8 bytes)
    C:\6209a3ef056193fd0c3a8c\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
    C:\6209a3ef056193fd0c3a8c\about_remote_requirements.help.txt (6 bytes)
    C:\6209a3ef056193fd0c3a8c\about_remote_faq.help.txt (775 bytes)
    C:\6209a3ef056193fd0c3a8c\about_join.help.txt (2 bytes)
    C:\6209a3ef056193fd0c3a8c\update\update.inf (2457 bytes)
    C:\6209a3ef056193fd0c3a8c\winrscmd.dll (2907 bytes)
    C:\6209a3ef056193fd0c3a8c\about_line_editing.help.txt (1 bytes)
    C:\6209a3ef056193fd0c3a8c\dotnettypes.format.ps1xml (266 bytes)
    C:\6209a3ef056193fd0c3a8c\about_reserved_words.help.txt (1 bytes)
    C:\6209a3ef056193fd0c3a8c\system.management.automation.dll (38414 bytes)
    C:\6209a3ef056193fd0c3a8c\wsmplpxy.dll (603 bytes)
    C:\6209a3ef056193fd0c3a8c\winrsmgr.dll (2 bytes)
    C:\6209a3ef056193fd0c3a8c\about_throw.help.txt (5 bytes)
    C:\6209a3ef056193fd0c3a8c\about_aliases.help.txt (6 bytes)
    C:\6209a3ef056193fd0c3a8c\system.management.automation.dll-help.xml (16567 bytes)
    C:\6209a3ef056193fd0c3a8c\wsmanhttpconfig.exe (3009 bytes)
    C:\6209a3ef056193fd0c3a8c\about_functions_advanced_parameters.help.txt (962 bytes)
    C:\6209a3ef056193fd0c3a8c\filesystem.format.ps1xml (133 bytes)
    C:\6209a3ef056193fd0c3a8c\winrmprov.mof (789 bytes)
    C:\6209a3ef056193fd0c3a8c\about_script_internationalization.help.txt (9 bytes)
    C:\6209a3ef056193fd0c3a8c\about_redirection.help.txt (2 bytes)
    C:\6209a3ef056193fd0c3a8c\about_quoting_rules.help.txt (659 bytes)
    C:\6209a3ef056193fd0c3a8c\about_ref.help.txt (1 bytes)
    C:\6209a3ef056193fd0c3a8c\about_functions.help.txt (586 bytes)
    C:\6209a3ef056193fd0c3a8c\default.help.txt (2 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.wsman.runtime.dll (33 bytes)
    C:\6209a3ef056193fd0c3a8c\about_locations.help.txt (794 bytes)
    C:\6209a3ef056193fd0c3a8c\about_arrays.help.txt (8 bytes)
    C:\6209a3ef056193fd0c3a8c\about_execution_policies.help.txt (13 bytes)
    C:\6209a3ef056193fd0c3a8c\wsmprovhost.exe (657 bytes)
    C:\6209a3ef056193fd0c3a8c\about_if.help.txt (3 bytes)
    C:\6209a3ef056193fd0c3a8c\about_language_keywords.help.txt (11 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
    C:\6209a3ef056193fd0c3a8c\pwrshplugin.dll (802 bytes)
    C:\6209a3ef056193fd0c3a8c\about_providers.help.txt (59 bytes)
    C:\6209a3ef056193fd0c3a8c\powershell_ise.resources.dll (4 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.wsman.management.dll-help.xml (8740 bytes)
    C:\6209a3ef056193fd0c3a8c\about_hash_tables.help.txt (6 bytes)
    C:\6209a3ef056193fd0c3a8c\about_functions_advanced.help.txt (3 bytes)
    C:\6209a3ef056193fd0c3a8c\about_environment_variables.help.txt (417 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
    C:\6209a3ef056193fd0c3a8c\about_pssessions.help.txt (9 bytes)
    C:\6209a3ef056193fd0c3a8c\about_type_operators.help.txt (5 bytes)
    C:\6209a3ef056193fd0c3a8c\pwrshsip.dll (24 bytes)
    C:\6209a3ef056193fd0c3a8c\about_arithmetic_operators.help.txt (168 bytes)
    C:\6209a3ef056193fd0c3a8c\wsmwmipl.dll (2816 bytes)
    C:\6209a3ef056193fd0c3a8c\about_script_blocks.help.txt (3 bytes)
    C:\6209a3ef056193fd0c3a8c\winrm.ini (1956 bytes)
    C:\6209a3ef056193fd0c3a8c\winrshost.exe (22 bytes)
    C:\6209a3ef056193fd0c3a8c\about_parameters.help.txt (9 bytes)
    C:\6209a3ef056193fd0c3a8c\about_functions_advanced_methods.help.txt (9 bytes)
    C:\6209a3ef056193fd0c3a8c\about_automatic_variables.help.txt (14 bytes)
    C:\6209a3ef056193fd0c3a8c\about_while.help.txt (2 bytes)
    C:\$Directory (800 bytes)
    C:\6209a3ef056193fd0c3a8c\winrm.vbs (2727 bytes)
    C:\6209a3ef056193fd0c3a8c\about_transactions.help.txt (1011 bytes)
    C:\6209a3ef056193fd0c3a8c\about_remote_output.help.txt (887 bytes)
    C:\6209a3ef056193fd0c3a8c\about_break.help.txt (792 bytes)
    C:\6209a3ef056193fd0c3a8c\pspluginwkr.dll (1756 bytes)
    C:\6209a3ef056193fd0c3a8c\about_objects.help.txt (2 bytes)
    C:\6209a3ef056193fd0c3a8c\about_wildcards.help.txt (3 bytes)
    C:\6209a3ef056193fd0c3a8c\about_scripts.help.txt (12 bytes)
    C:\6209a3ef056193fd0c3a8c\diagnostics.format.ps1xml (590 bytes)
    C:\6209a3ef056193fd0c3a8c\powershell.exe.mui (10 bytes)
    C:\6209a3ef056193fd0c3a8c\about_job_details.help.txt (824 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.gpowershell.resources.dll (408 bytes)
    C:\6209a3ef056193fd0c3a8c\$shtdwn$.req (788 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
    C:\6209a3ef056193fd0c3a8c\about_pssession_details.help.txt (9 bytes)
    C:\6209a3ef056193fd0c3a8c\bitstransfer.format.ps1xml (16 bytes)
    C:\6209a3ef056193fd0c3a8c\windowsremotemanagement.adm (574 bytes)
    C:\6209a3ef056193fd0c3a8c\wsmtxt.xsl (2 bytes)
    C:\6209a3ef056193fd0c3a8c\about_methods.help.txt (6 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.editor.dll (14450 bytes)
    C:\6209a3ef056193fd0c3a8c\about_split.help.txt (10 bytes)
    C:\6209a3ef056193fd0c3a8c\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
    C:\6209a3ef056193fd0c3a8c\windowsremoteshell.adm (12 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)
    %System%\SETBF.tmp (42 bytes)
    %WinDir%\ocmsn.log (7791 bytes)
    %System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
    %System%\SET12.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
    %System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
    %System%\SETC.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
    %System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
    %System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
    %System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
    %System%\SET2D.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
    %System%\SET25.tmp (1281 bytes)
    %System%\SET13.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
    %System%\SET20.tmp (2 bytes)
    %System%\SET14.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
    %System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
    %WinDir%\inf\SET32.tmp (38 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
    %System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
    %System%\SET2A.tmp (2 bytes)
    %WinDir%\inf\oem10.PNF (10040 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
    %System%\SET7.tmp (35 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
    %System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
    %WinDir%\msmqinst.log (5122 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
    %System%\SET22.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
    %System%\spmsg.dll (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
    %System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
    %System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
    %System%\SET2B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
    %WinDir%\inf\SET18.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
    %System%\SETE.tmp (22 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
    %System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
    %System%\SET6.tmp (2 bytes)
    %System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
    %System%\wbem\SET4.tmp (4 bytes)
    %System%\SET17.tmp (673 bytes)
    %WinDir%\tabletoc.log (2313 bytes)
    %System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
    %System%\SETA.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
    %System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
    %WinDir%\MedCtrOC.log (8910 bytes)
    %System%\config\SYSTEM.LOG (7577 bytes)
    %System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
    %System%\SET27.tmp (601 bytes)
    %System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
    %System%\SET11.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
    %WinDir%\Help\SETC5.tmp (12287 bytes)
    %System%\SET8.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
    %WinDir%\msgsocm.log (6541 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
    %System%\SETF.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
    %System%\SET10.tmp (2 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
    %System%\SET26.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
    %System%\SET21.tmp (35 bytes)
    %System%\config\system (5372 bytes)
    %System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
    %System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
    %WinDir%\SECD0.tmp (1897 bytes)
    %System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
    %WinDir%\imsins.log (3604 bytes)
    %System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
    %System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
    %System%\SET16.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
    %System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
    %System%\CatRoot2\dberr.txt (1031 bytes)
    %System%\SETB.tmp (1281 bytes)
    %System%\SET1F.tmp (1 bytes)
    %WinDir%\iis6.log (140211 bytes)
    %WinDir%\comsetup.log (49590 bytes)
    %System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
    %System%\spupdsvc.exe (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
    %System%\SET28.tmp (22 bytes)
    %System%\SET5.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
    %System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
    %System%\SET31.tmp (673 bytes)
    %System%\SET2E.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
    %System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
    %System%\SET29.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
    %System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
    %System%\SET2C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
    %WinDir%\KB968930.log (242490 bytes)
    %System%\SET15.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
    %WinDir%\ntdtcsetup.log (22691 bytes)
    %System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
    %WinDir%\inf\oem10.inf (673 bytes)
    %System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
    %System%\SET24.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
    %System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
    %System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
    %WinDir%\FaxSetup.log (53338 bytes)
    %WinDir%\tsoc.log (79170 bytes)
    %System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
    %WinDir%\KB968930xp.cat (59 bytes)
    %System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
    %System%\winrm\0409\SET1D.tmp (601 bytes)
    %System%\SETD.tmp (601 bytes)
    %WinDir%\inf\SET19.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
    %System%\SET9.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
    %System%\winrm\0409\SET37.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
    %System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
    %WinDir%\ocgen.log (71000 bytes)
    %System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
    %System%\SET2F.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
    %System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
    %System%\SET30.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
    %System%\wbem\SET1E.tmp (4 bytes)
    %System%\SET23.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
    %WinDir%\netfxocm.log (9089 bytes)
    %System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
    %WinDir%\inf\SET33.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
    %WinDir%\assembly\tmp\UPTWZ258\Microsoft.PowerShell.Security.dll (2392 bytes)
    %WinDir%\assembly\tmp\1JNQTWZ2\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
    %WinDir%\assembly\tmp\SBEHKNRU\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
    %WinDir%\assembly\tmp\WGJNQTWZ\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
    %WinDir%\assembly\tmp\SCFILPSV\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
    %WinDir%\assembly\tmp\Q9CFIMPS\System.Management.Automation.resources.dll (9320 bytes)
    %WinDir%\assembly\tmp\ATWZ259C\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\L48BEHKO\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
    %WinDir%\assembly\tmp\R9DGJMPS\Microsoft.WSMan.Runtime.dll (7 bytes)
    %WinDir%\assembly\tmp\J258BEHL\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
    %WinDir%\assembly\tmp\GZ258BFI\Microsoft.PowerShell.Security.resources.dll (9 bytes)
    %WinDir%\assembly\tmp\FY258BEH\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
    %WinDir%\assembly\tmp\J258BEHK\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\M69CFJMP\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
    %WinDir%\assembly\tmp\N7ADHKNQ\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
    %WinDir%\assembly\tmp\XGJMPSVY\Microsoft.WSMan.Management.dll (9608 bytes)
    %WinDir%\assembly\tmp\VEHLORUX\Microsoft.WSMan.Management.resources.dll (13 bytes)
    %WinDir%\assembly\tmp\HZ258BEI\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\5ORVY147\Microsoft.PowerShell.Editor.dll (32824 bytes)
    %WinDir%\assembly\tmp\L47ADHKN\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
    %WinDir%\assembly\tmp\O7ADHKNQ\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\5PSVZ258\System.Management.Automation.dll (81046 bytes)
    %WinDir%\assembly\tmp\P7BEHKNQ\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDB.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (83393 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDC.tmp\System.Management.Automation.dll (105990 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now