Trojan.Generic.15099347_d1fd8cc62a

by malwarelabrobot on July 13th, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.15099347 (B) (Emsisoft), Trojan.Generic.15099347 (AdAware), Backdoor.Win32.Farfli.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: d1fd8cc62a8f1ba3ede9cb9f178c07b9
SHA1: 777077f08bf94c30be886a149dafbc19c374575c
SHA256: 0829552607353fb00b60d9ac3b4648f97131a01248ce5ac152f2e1028d8459b4
SSDeep: 6144:P3owmzBVkz3bBmFOgIoK5st2hcy1Wn0CnH1qK2k0SlLboizcL7r:P3lmzjk/wFo5smcy1W0 HXp1LxALP
Size: 327782 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2015-04-24 20:39:42
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mofcomp.exe:4092
WindowsXP-KB968930-x86-ENG.exe:900
ngen.exe:3760
ngen.exe:3984
ngen.exe:3616
ngen.exe:1932
ngen.exe:3940
ngen.exe:4004
ngen.exe:3744
ngen.exe:3908
ngen.exe:3800
ngen.exe:3840
ngen.exe:4064
ngen.exe:3892
ngen.exe:2072
ngen.exe:1144
ngen.exe:1232
PSCustomSetupUtil.exe:2928
PSCustomSetupUtil.exe:1096
PSCustomSetupUtil.exe:3204
PSCustomSetupUtil.exe:2336
PSCustomSetupUtil.exe:2484
PSCustomSetupUtil.exe:2996
PSCustomSetupUtil.exe:2856
PSCustomSetupUtil.exe:1876
PSCustomSetupUtil.exe:3152
PSCustomSetupUtil.exe:2268
PSCustomSetupUtil.exe:2412
PSCustomSetupUtil.exe:3096
PSCustomSetupUtil.exe:828
PSCustomSetupUtil.exe:3308
PSCustomSetupUtil.exe:2532
PSCustomSetupUtil.exe:328
PSCustomSetupUtil.exe:2160
wsmanhttpconfig.exe:2900
wsmanhttpconfig.exe:3492
%original file name%.exe:524
%original file name%.exe:1612

The Trojan injects its code into the following process(es):

update.exe:1196
mscorsvw.exe:3620
svchost.exe:168
svchost.exe:272
svchost.exe:372

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mofcomp.exe:4092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1068 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)

The process WindowsXP-KB968930-x86-ENG.exe:900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\1a581e7121a380047c3556\wsmtxt.xsl (2 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\1a581e7121a380047c3556\registry.format.ps1xml (20 bytes)
C:\1a581e7121a380047c3556\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\1a581e7121a380047c3556\about_logical_operators.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_functions.help.txt (586 bytes)
C:\1a581e7121a380047c3556\winrmprov.mof (789 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\1a581e7121a380047c3556\about_comparison_operators.help.txt (11 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.security.dll (1145 bytes)
C:\1a581e7121a380047c3556\diagnostics.format.ps1xml (590 bytes)
C:\1a581e7121a380047c3556\about_types.ps1xml.help.txt (481 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.editor.dll (14450 bytes)
C:\1a581e7121a380047c3556\about_language_keywords.help.txt (11 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\1a581e7121a380047c3556\powershellcore.format.ps1xml (1492 bytes)
C:\1a581e7121a380047c3556\about_preference_variables.help.txt (37 bytes)
C:\1a581e7121a380047c3556\about_functions_advanced_methods.help.txt (9 bytes)
C:\1a581e7121a380047c3556\wsmplpxy.dll (603 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\1a581e7121a380047c3556\winrs.exe (1154 bytes)
C:\1a581e7121a380047c3556\wtrinstaller.ico (4803 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\1a581e7121a380047c3556\about_break.help.txt (792 bytes)
C:\1a581e7121a380047c3556\about_hash_tables.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_command_precedence.help.txt (8 bytes)
C:\1a581e7121a380047c3556\about_debuggers.help.txt (21 bytes)
C:\1a581e7121a380047c3556\about_wmi_cmdlets.help.txt (8 bytes)
C:\1a581e7121a380047c3556\about_requires.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_parameters.help.txt (9 bytes)
C:\1a581e7121a380047c3556\wsmanhttpconfig.exe (3009 bytes)
C:\1a581e7121a380047c3556\about_trap.help.txt (10 bytes)
C:\1a581e7121a380047c3556\winrm.ini (1956 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\1a581e7121a380047c3556\about_job_details.help.txt (824 bytes)
C:\1a581e7121a380047c3556\windowspowershellhelp.chm (26041 bytes)
C:\1a581e7121a380047c3556\about_transactions.help.txt (1011 bytes)
C:\1a581e7121a380047c3556\about_path_syntax.help.txt (5 bytes)
C:\1a581e7121a380047c3556\getevent.types.ps1xml (15 bytes)
C:\1a581e7121a380047c3556\wsmprovhost.exe (657 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\1a581e7121a380047c3556\about_profiles.help.txt (457 bytes)
C:\1a581e7121a380047c3556\about_regular_expressions.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_prompts.help.txt (7 bytes)
C:\1a581e7121a380047c3556\spupdsvc.exe (287 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\1a581e7121a380047c3556\wsmsvc.dll (15909 bytes)
C:\1a581e7121a380047c3556\system.management.automation.dll-help.xml (16567 bytes)
C:\1a581e7121a380047c3556\update\update.ver (14 bytes)
C:\1a581e7121a380047c3556\winrssrv.dll (12 bytes)
C:\1a581e7121a380047c3556\about_assignment_operators.help.txt (379 bytes)
C:\1a581e7121a380047c3556\pwrshsip.dll (24 bytes)
C:\1a581e7121a380047c3556\about_format.ps1xml.help.txt (17 bytes)
C:\1a581e7121a380047c3556\about_while.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_command_syntax.help.txt (5 bytes)
C:\1a581e7121a380047c3556\wsmauto.mof (4 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\1a581e7121a380047c3556\spmsg.dll (495 bytes)
C:\1a581e7121a380047c3556\about_type_operators.help.txt (5 bytes)
C:\1a581e7121a380047c3556\eventforwarding.adm (2 bytes)
C:\1a581e7121a380047c3556\about_functions_advanced.help.txt (3 bytes)
C:\1a581e7121a380047c3556\about_if.help.txt (3 bytes)
C:\1a581e7121a380047c3556\powershelltrace.format.ps1xml (344 bytes)
C:\1a581e7121a380047c3556\microsoft.wsman.runtime.dll (33 bytes)
C:\1a581e7121a380047c3556\spuninst.exe (3787 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.editor.resources.dll (562 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\1a581e7121a380047c3556\about_remote_output.help.txt (887 bytes)
C:\1a581e7121a380047c3556\about_switch.help.txt (489 bytes)
C:\1a581e7121a380047c3556\about_eventlogs.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_arithmetic_operators.help.txt (168 bytes)
C:\1a581e7121a380047c3556\about_remote_requirements.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_script_internationalization.help.txt (9 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\1a581e7121a380047c3556\about_aliases.help.txt (6 bytes)
C:\1a581e7121a380047c3556\winrm.vbs (2727 bytes)
C:\1a581e7121a380047c3556\pscustomsetuputil.exe (316 bytes)
C:\1a581e7121a380047c3556\update\eula.txt (586 bytes)
C:\1a581e7121a380047c3556\default.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_windows_powershell_ise.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_history.help.txt (3 bytes)
C:\1a581e7121a380047c3556\pssetupnativeutils.exe (9 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\1a581e7121a380047c3556\update\kb968930xp.cat (512 bytes)
C:\1a581e7121a380047c3556\windowsremotemanagement.adm (574 bytes)
C:\1a581e7121a380047c3556\bitstransfer.psd1 (950 bytes)
C:\1a581e7121a380047c3556\about_join.help.txt (2 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\1a581e7121a380047c3556\about_operators.help.txt (770 bytes)
C:\1a581e7121a380047c3556\about_scripts.help.txt (12 bytes)
C:\1a581e7121a380047c3556\wsmres.dll (6164 bytes)
C:\1a581e7121a380047c3556\about_throw.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_remote.help.txt (7 bytes)
C:\1a581e7121a380047c3556\about_signing.help.txt (12 bytes)
C:\1a581e7121a380047c3556\about_quoting_rules.help.txt (659 bytes)
C:\1a581e7121a380047c3556\about_script_blocks.help.txt (3 bytes)
C:\1a581e7121a380047c3556\winrshost.exe (22 bytes)
C:\1a581e7121a380047c3556\dotnettypes.format.ps1xml (266 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.management.dll (3386 bytes)
C:\1a581e7121a380047c3556\about_remote_troubleshooting.help.txt (146 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\1a581e7121a380047c3556\about_jobs.help.txt (12 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\1a581e7121a380047c3556\wsmpty.xsl (1 bytes)
C:\1a581e7121a380047c3556\about_escape_characters.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_return.help.txt (3 bytes)
C:\1a581e7121a380047c3556\about_session_configurations.help.txt (276 bytes)
C:\1a581e7121a380047c3556\winrsmgr.dll (2 bytes)
C:\1a581e7121a380047c3556\about_split.help.txt (10 bytes)
C:\1a581e7121a380047c3556\update\spcustom.dll (23 bytes)
C:\1a581e7121a380047c3556\about_foreach.help.txt (10 bytes)
C:\1a581e7121a380047c3556\about_core_commands.help.txt (221 bytes)
C:\1a581e7121a380047c3556\about_variables.help.txt (6 bytes)
C:\1a581e7121a380047c3556\bitstransfer.format.ps1xml (16 bytes)
C:\1a581e7121a380047c3556\about_execution_policies.help.txt (13 bytes)
C:\1a581e7121a380047c3556\profile.ps1 (772 bytes)
C:\1a581e7121a380047c3556\system.management.automation.dll (38414 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\1a581e7121a380047c3556\about_reserved_words.help.txt (1 bytes)
C:\1a581e7121a380047c3556\about_ref.help.txt (1 bytes)
C:\1a581e7121a380047c3556\about_wildcards.help.txt (3 bytes)
C:\1a581e7121a380047c3556\about_continue.help.txt (1 bytes)
C:\1a581e7121a380047c3556\winrm.cmd (35 bytes)
C:\1a581e7121a380047c3556\about_redirection.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_locations.help.txt (794 bytes)
C:\1a581e7121a380047c3556\about_bits_cmdlets.help.txt (7 bytes)
C:\1a581e7121a380047c3556\wsmwmipl.dll (2816 bytes)
C:\1a581e7121a380047c3556\about_ws-management_cmdlets.help.txt (405 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\1a581e7121a380047c3556\powershell.exe.mui (10 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.security.resources.dll (9 bytes)
C:\1a581e7121a380047c3556\about_pssession_details.help.txt (9 bytes)
C:\1a581e7121a380047c3556\certificate.format.ps1xml (155 bytes)
C:\1a581e7121a380047c3556\filesystem.format.ps1xml (133 bytes)
C:\1a581e7121a380047c3556\about_windows_powershell_2.0.help.txt (453 bytes)
C:\1a581e7121a380047c3556\winrmprov.dll (591 bytes)
C:\1a581e7121a380047c3556\about_parsing.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_automatic_variables.help.txt (14 bytes)
C:\1a581e7121a380047c3556\windowsremoteshell.adm (12 bytes)
C:\1a581e7121a380047c3556\wsman.format.ps1xml (837 bytes)
C:\1a581e7121a380047c3556\about_scopes.help.txt (76 bytes)
C:\1a581e7121a380047c3556\about_pipelines.help.txt (411 bytes)
C:\1a581e7121a380047c3556\$shtdwn$.req (788 bytes)
C:\1a581e7121a380047c3556\about_comment_based_help.help.txt (595 bytes)
C:\1a581e7121a380047c3556\powershell_ise.resources.dll (4 bytes)
C:\1a581e7121a380047c3556\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\1a581e7121a380047c3556\update\update.inf (2457 bytes)
C:\1a581e7121a380047c3556\about_line_editing.help.txt (1 bytes)
C:\1a581e7121a380047c3556\about_remote_faq.help.txt (775 bytes)
C:\1a581e7121a380047c3556\update\update.exe (10748 bytes)
C:\1a581e7121a380047c3556\about_pssnapins.help.txt (6 bytes)
C:\1a581e7121a380047c3556\pspluginwkr.dll (1756 bytes)
C:\1a581e7121a380047c3556\microsoft.wsman.management.resources.dll (13 bytes)
C:\1a581e7121a380047c3556\system.management.automation.resources.dll (3153 bytes)
C:\1a581e7121a380047c3556\powershell_ise.exe (2526 bytes)
C:\1a581e7121a380047c3556\about_environment_variables.help.txt (417 bytes)
C:\1a581e7121a380047c3556\about_do.help.txt (2 bytes)
C:\1a581e7121a380047c3556\pwrshplugin.dll (802 bytes)
C:\1a581e7121a380047c3556\about_providers.help.txt (59 bytes)
C:\1a581e7121a380047c3556\update\updspapi.dll (5940 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\1a581e7121a380047c3556\about_functions_advanced_parameters.help.txt (962 bytes)
C:\1a581e7121a380047c3556\about_modules.help.txt (13 bytes)
C:\1a581e7121a380047c3556\about_pssessions.help.txt (9 bytes)
C:\1a581e7121a380047c3556\winrscmd.dll (2907 bytes)
C:\1a581e7121a380047c3556\about_commonparameters.help.txt (12 bytes)
C:\1a581e7121a380047c3556\about_remote_jobs.help.txt (13 bytes)
C:\1a581e7121a380047c3556\about_properties.help.txt (7 bytes)
C:\1a581e7121a380047c3556\about_data_sections.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_try_catch_finally.help.txt (7 bytes)
C:\1a581e7121a380047c3556\wsmauto.dll (1842 bytes)
C:\1a581e7121a380047c3556\powershell.exe (7339 bytes)
C:\1a581e7121a380047c3556\importallmodules.psd1 (438 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.consolehost.dll (3118 bytes)
C:\1a581e7121a380047c3556\about_arrays.help.txt (8 bytes)
C:\1a581e7121a380047c3556\help.format.ps1xml (3947 bytes)
C:\1a581e7121a380047c3556\about_for.help.txt (146 bytes)
C:\1a581e7121a380047c3556\about_methods.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_special_characters.help.txt (3 bytes)
C:\1a581e7121a380047c3556\pwrshmsg.dll (4 bytes)
C:\1a581e7121a380047c3556\wevtfwd.dll (3351 bytes)
C:\1a581e7121a380047c3556\about_objects.help.txt (2 bytes)
C:\1a581e7121a380047c3556\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\1a581e7121a380047c3556\microsoft.wsman.management.dll (5010 bytes)
C:\1a581e7121a380047c3556\types.ps1xml (2510 bytes)

The Trojan deletes the following file(s):

C:\_444218_ (0 bytes)

The process ngen.exe:3760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)

The process ngen.exe:3984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)

The process ngen.exe:3616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)

The process ngen.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (800 bytes)

The process ngen.exe:3940 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)

The process ngen.exe:4004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)

The process ngen.exe:3744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)

The process ngen.exe:3908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)

The process ngen.exe:3800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)

The process ngen.exe:3840 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)

The process ngen.exe:4064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)

The process ngen.exe:3892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)

The process ngen.exe:2072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (784 bytes)

The process ngen.exe:1144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)

The process ngen.exe:1232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (468 bytes)

The process update.exe:1196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\SETBF.tmp (42 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (7641 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%System%\config\SYSTEM.LOG (6201 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (3198 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1579 bytes)
%WinDir%\inf\oem11.PNF (10040 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (220274 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%WinDir%\inf\oem11.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)

The Trojan deletes the following file(s):

%System%\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET32.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (0 bytes)
%System%\SET7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\SET6.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\wbem\SET4.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%System%\SET8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\SET5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%WinDir%\inf\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%WinDir%\Temp\UPD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%System%\wbem\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrm\0409\SET1D.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%WinDir%\inf\SET19.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\winrm\0409\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%WinDir%\Help\SETC5.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)

The process PSCustomSetupUtil.exe:2928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\7Y38EJOT\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:1096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\SKPUZ49F\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)

The process PSCustomSetupUtil.exe:3204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\KBGLQW16\Microsoft.WSMan.Management.resources.dll (13 bytes)

The process PSCustomSetupUtil.exe:2336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\H8EJOTY3\Microsoft.WSMan.Runtime.dll (7 bytes)

The process PSCustomSetupUtil.exe:2484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\LDINSW15\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)

The process PSCustomSetupUtil.exe:2996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\7Y38DINT\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\KMSX27CH\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:1876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\OFKPV17C\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)

The process PSCustomSetupUtil.exe:3152 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\XOTY37CG\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)

The process PSCustomSetupUtil.exe:2268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\DBHNSX38\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)

The process PSCustomSetupUtil.exe:2412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\RJPUZ49E\Microsoft.WSMan.Management.dll (9608 bytes)

The process PSCustomSetupUtil.exe:3096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\ZQV05AFK\Microsoft.PowerShell.Security.resources.dll (9 bytes)

The process PSCustomSetupUtil.exe:828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\KBGLQV05\System.Management.Automation.dll (81046 bytes)

The process PSCustomSetupUtil.exe:3308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\SJOTY38D\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)

The process PSCustomSetupUtil.exe:2532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\MEJPUZ49\System.Management.Automation.resources.dll (9320 bytes)

The process PSCustomSetupUtil.exe:328 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\E6BGMRW1\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)

The process PSCustomSetupUtil.exe:2160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\5W16BGLQ\Microsoft.PowerShell.Security.dll (2392 bytes)

The process mscorsvw.exe:3620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)

The process %original file name%.exe:1612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startupx\system.pif (2105 bytes)

Registry activity

The process mofcomp.exe:4092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 0C 49 D4 BB 15 10 F7 4B 93 38 E9 F9 12 92 95"

The process WindowsXP-KB968930-x86-ENG.exe:900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 FF 2D CC B3 BF 22 98 97 47 48 7F B9 9C 83 06"

The process ngen.exe:3760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 D1 5A 46 01 04 04 1C 70 D4 1D 31 35 9B F6 9E"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 23 60 7F EB C7 3F D6 3A 48 C1 64 D1 E4 71 C0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 5C 04 9E E3 05 0C 07 6A C3 01 A5 4F 46 08 37"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 5A 05 29 20 36 07 65 90 0A 4B EC 4F 6A 99 24"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:3940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 2E 55 79 5A 4C D0 01 03 CC EF 49 E1 36 DE CB"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:4004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 60 67 A9 21 BC 0B 59 B4 E7 4F CF 3D 00 2C A1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 AF 58 DD 5A 9A 80 C5 E7 BC 25 EB 57 F0 1A B1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 8C C4 77 3D A0 58 5F 2C 99 61 0C 26 AA 59 DB"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

The process ngen.exe:3800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 4A D0 D4 67 9A 31 ED 87 A0 01 D9 53 F5 42 C8"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

The process ngen.exe:3840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 C5 00 E1 C2 72 DE 7A 87 A9 7C 1F D6 23 5E A2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:4064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 34 A8 30 15 0D 3A C8 FA E4 C3 17 A2 EA 8C 27"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 23 52 1F 2F 8A 1F 1F B8 CC F7 3E CF AC 50 C5"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:2072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 64 BA DE 0E C4 1F F2 31 02 44 35 A8 B6 CE 05"

The process ngen.exe:1144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 CF 30 56 49 48 70 B4 38 30 F5 5C FF 89 91 A0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 51 7E 48 13 85 48 59 78 FE C4 82 76 D1 B6 AC"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process update.exe:1196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"

[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"

[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"

[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"

[HKCR\.ps1xml]
"PerceivedType" = "Text"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"

[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"

[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"

[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem11.inf" = "1"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"

[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"

[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ReleaseType" = "Software Update"

[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 0E E6 BA FD 5B DB 9D FF 5F CB 3A A2 24 3D 66"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"

[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"

[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"

[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"

[HKCR\.psc1]
"Content Type" = "application/PowerShell"

[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem11.PNF" = "1"

[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"

[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"

[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20160712"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"

[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"

[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"

[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"

[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"

[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"

[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"

The process PSCustomSetupUtil.exe:2928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 91 88 91 CE 48 CD 0C 93 6B 98 76 F4 BE E6 D8"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "D0 08 4D 8F E1 DB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"

The process PSCustomSetupUtil.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 96 79 0B C1 5B 7D 80 30 46 EF 99 99 04 99 82"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "66 67 F5 88 E1 DB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"

The process PSCustomSetupUtil.exe:3204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 F1 36 96 44 03 9D F7 98 CB 38 61 D2 8D 21 E4"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "E6 38 E6 91 E1 DB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"

The process PSCustomSetupUtil.exe:2336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 74 C0 E8 6D E5 F0 5E 2D 76 C0 3A E4 47 DF 08"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "8E FF 14 8B E1 DB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"

The process PSCustomSetupUtil.exe:2484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 92 2B C5 FD 2B 1E 9E 46 D2 7D B8 2A D8 32 12"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "E8 8E 48 8C E1 DB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"

The process PSCustomSetupUtil.exe:2996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B D4 9A FE BF 03 8D CB CB 5F 9A 1A 74 D5 5D 3A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "78 DD A2 8F E1 DB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"

The process PSCustomSetupUtil.exe:2856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 CF F6 A7 A5 F2 A4 2D 10 4D 91 35 2E D0 45 2E"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "EA 1F 03 8F E1 DB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"

The process PSCustomSetupUtil.exe:1876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 61 54 E0 F4 7F B7 17 A5 70 14 59 CC 1B F1 C5"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "F0 89 B3 87 E1 DB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"

The process PSCustomSetupUtil.exe:3152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 1D EC D6 FA 91 D8 15 31 76 A7 B1 29 6A B0 97"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "58 7B 46 91 E1 DB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"

The process PSCustomSetupUtil.exe:2268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 62 DB 27 5D 5D 97 C4 B0 02 3F D8 3F 1E E4 C7"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "AC 57 4A 8A E1 DB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"

The process PSCustomSetupUtil.exe:2412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 62 E6 7C 7C B3 F5 D4 9C AC A3 40 76 B2 2D E3"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "A0 94 CC 8B E1 DB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"

The process PSCustomSetupUtil.exe:3096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 BF B7 8C 24 DA 4E BD FF 7F FE 1C 91 9D D5 9E"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "E2 9D 04 90 E1 DB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"

The process PSCustomSetupUtil.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 53 33 F0 C7 98 FB 06 6B F7 A2 EC 94 75 2C 92"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "5C 54 3C 87 E1 DB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"

The process PSCustomSetupUtil.exe:3308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 D3 D4 4D 3B C6 97 A5 36 0C 0F FC 9C D0 FE 32"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "18 5D 2B 92 E1 DB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"

The process PSCustomSetupUtil.exe:2532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 8C 3F 3E FD A5 69 8B 97 22 E2 49 BE 92 5A 9C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "84 A0 20 8E E1 DB D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"

The process PSCustomSetupUtil.exe:328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 4E 74 50 27 72 F3 5E C2 9E 5B A6 24 02 67 EC"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "EE 7F 8C 88 E1 DB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"

The process PSCustomSetupUtil.exe:2160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 2A 0C 1A 49 23 B4 63 62 C7 D9 9F 57 83 DC 26"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "BE BF D0 89 E1 DB D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"

The process mscorsvw.exe:3620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB E7 03 DA 7F B4 70 A7 7C 47 DE DA 54 1D 4F D0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"

The process wsmanhttpconfig.exe:2900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE C1 BE E3 04 48 5F 79 BD C5 82 3E E3 6B FE F1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "705AD653-D525-4991-8961-10D42529A8E0"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""

The process wsmanhttpconfig.exe:3492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 89 29 C4 03 05 81 2B 04 8D 09 2B 82 46 E9 38"

The process %original file name%.exe:524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 64 E8 26 C7 B5 18 E1 A9 73 30 26 16 32 79 56"

The process %original file name%.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 5E 11 4D EC F9 3D 13 A8 07 54 89 A1 E1 FD 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

Dropped PE files

MD5	File path
85d7ab466d0577c49fc9879107ec7ef5	c:\1a581e7121a380047c3556\compiledcomposition.microsoft.powershell.gpowershell.dll
2f7fe3a781ba8c0a67c775f20e3e9f70	c:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.dll
173d3dd1425a8e33fa1d4ed71067a3a2	c:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.interop.dll
75c183e262bd4400eb0f20349f6ef383	c:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.resources.dll
08e87e8abf7b41b28663dce817ce0ab6	c:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.dll
4e2482e69baaf3a5b13db8101c063ebf	c:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.resources.dll
f3ac3f844f90380aab2b4c0836c4288f	c:\1a581e7121a380047c3556\microsoft.powershell.commands.management.dll
b87e087fc013225e2aa1cb60c080647d	c:\1a581e7121a380047c3556\microsoft.powershell.commands.management.resources.dll
dfeb401cc051e5da721c584ff6a90f88	c:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.dll
1ce73fb3f88c716cfc3fd550547d2b35	c:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.resources.dll
3991b7fa452a9c9c291c06365a236792	c:\1a581e7121a380047c3556\microsoft.powershell.consolehost.dll
36ff641f37918f2cca98e7f407ac4d75	c:\1a581e7121a380047c3556\microsoft.powershell.consolehost.resources.dll
208fa9d0ebe2ceb9616042772e96598e	c:\1a581e7121a380047c3556\microsoft.powershell.editor.dll
37bed865557084dd9988350ab1675e0b	c:\1a581e7121a380047c3556\microsoft.powershell.editor.resources.dll
d4eefccdc3de6ced901535fa4153c491	c:\1a581e7121a380047c3556\microsoft.powershell.gpowershell.dll
108500a98b9a2f66823e7615398fc87b	c:\1a581e7121a380047c3556\microsoft.powershell.gpowershell.resources.dll
3eab4dbdc290edc4d53fe77f1fdb9e59	c:\1a581e7121a380047c3556\microsoft.powershell.graphicalhost.dll
5a69fb5d686f863e0e13268d671ef16d	c:\1a581e7121a380047c3556\microsoft.powershell.graphicalhost.resources.dll
53a9d748ef09920a0d06da2583c298ad	c:\1a581e7121a380047c3556\microsoft.powershell.security.dll
c7a0d1321a67a2afd330c5fbe79befd1	c:\1a581e7121a380047c3556\microsoft.powershell.security.resources.dll
1a4e900c2fe3cd31d10107670d184fe6	c:\1a581e7121a380047c3556\microsoft.wsman.management.dll
6372ea7d2aced7185183cf3fcdd3577b	c:\1a581e7121a380047c3556\microsoft.wsman.management.resources.dll
f7da27672d2e4c21a1f996ee31de0dbf	c:\1a581e7121a380047c3556\microsoft.wsman.runtime.dll
df4217ddb34a0b73dc7aac7829371c0c	c:\1a581e7121a380047c3556\powershell.exe
fe7bc06af17d7cd8fb8e6d72d72453b8	c:\1a581e7121a380047c3556\powershell.exe.mui
36b6f71b6d7d280302b348145db05a9f	c:\1a581e7121a380047c3556\powershell_ise.exe
cb3a534127f37d0fa1f556dbb76575d3	c:\1a581e7121a380047c3556\powershell_ise.resources.dll
fc9a05096522bb6d7ceda62ea1707420	c:\1a581e7121a380047c3556\pscustomsetuputil.exe
95b7f12a557dedac5e4a1e9afa5e73ab	c:\1a581e7121a380047c3556\pspluginwkr.dll
35efd8cd6549a4339cb2a28c8cfd6598	c:\1a581e7121a380047c3556\pssetupnativeutils.exe
a94243b797377ba03b63fc716c13bcf5	c:\1a581e7121a380047c3556\pwrshmsg.dll
8c386819bf5b39d7a4b274d0b55f87a5	c:\1a581e7121a380047c3556\pwrshplugin.dll
7943a80f1a6fd37969aacd411b511f91	c:\1a581e7121a380047c3556\pwrshsip.dll
066f7fcca265d01a5b7eaf41ade789b1	c:\1a581e7121a380047c3556\spmsg.dll
a39df582ca051afc8811fbd00db12f10	c:\1a581e7121a380047c3556\spuninst.exe
1b2c60a6d6c3833b413943862b2bfed8	c:\1a581e7121a380047c3556\spupdsvc.exe
4d8ab4fad244f7985d8c59d456e026d7	c:\1a581e7121a380047c3556\system.management.automation.dll
2286b57ecc2d32d24049c51989084268	c:\1a581e7121a380047c3556\system.management.automation.resources.dll
5d6d17b645fa91fce7f0712f3da4f297	c:\1a581e7121a380047c3556\update\spcustom.dll
50914702cb6c72275018643c557ef8c5	c:\1a581e7121a380047c3556\update\update.exe
9a055da2f2819f155c33d47cd67a7c00	c:\1a581e7121a380047c3556\update\updspapi.dll
84e025b1259c66315f4d45a6caecacc9	c:\1a581e7121a380047c3556\wevtfwd.dll
cd17705af8e53a82facb545a213ab09c	c:\1a581e7121a380047c3556\winrmprov.dll
afdf7654880ce23005014895b129d948	c:\1a581e7121a380047c3556\winrs.exe
3e9b11880ae4a8ff399ce0573c82655b	c:\1a581e7121a380047c3556\winrscmd.dll
62021e3e6ba13d72cf5cc1047cfac991	c:\1a581e7121a380047c3556\winrshost.exe
b84092e52861a026fc83bcede4a7abfa	c:\1a581e7121a380047c3556\winrsmgr.dll
35bc7c49676e5ab617ef94dc9854a6f1	c:\1a581e7121a380047c3556\winrssrv.dll
972916faac89c4aa978952b30f478e81	c:\1a581e7121a380047c3556\wsmanhttpconfig.exe
2c9c9ae86eb2b4e78c8e09deb7509a63	c:\1a581e7121a380047c3556\wsmauto.dll
23ce21efc2ae95700f2b1f9582fe3867	c:\1a581e7121a380047c3556\wsmplpxy.dll
faa2fcc6853e5123e05dccc5919657e2	c:\1a581e7121a380047c3556\wsmprovhost.exe
67146d3606be1111a39f0fd61f47e9b6	c:\1a581e7121a380047c3556\wsmres.dll
18f347402da544a780949b8fdf83351b	c:\1a581e7121a380047c3556\wsmsvc.dll
296e6992278fea7140d88b603e6c2a8a	c:\1a581e7121a380047c3556\wsmwmipl.dll
f6b10cd7d50f1af15aad15f437da0681	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\miqan\miqan.exe
9859a26d5e72bbb0685af813b409d99d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
a39df582ca051afc8811fbd00db12f10	c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe
9a055da2f2819f155c33d47cd67a7c00	c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll
2f7fe3a781ba8c0a67c775f20e3e9f70	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.BackgroundIntelligentTransfer.Management.dll
75c183e262bd4400eb0f20349f6ef383	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll
08e87e8abf7b41b28663dce817ce0ab6	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Diagnostics.dll
4e2482e69baaf3a5b13db8101c063ebf	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Diagnostics.resources.dll
f3ac3f844f90380aab2b4c0836c4288f	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Management.dll
b87e087fc013225e2aa1cb60c080647d	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Management.resources.dll
dfeb401cc051e5da721c584ff6a90f88	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Utility.dll
1ce73fb3f88c716cfc3fd550547d2b35	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Utility.resources.dll
3991b7fa452a9c9c291c06365a236792	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll
36ff641f37918f2cca98e7f407ac4d75	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.resources.dll
53a9d748ef09920a0d06da2583c298ad	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Security.dll
c7a0d1321a67a2afd330c5fbe79befd1	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Security.resources.dll
6372ea7d2aced7185183cf3fcdd3577b	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.WSMan.Management.Resources.dll
1a4e900c2fe3cd31d10107670d184fe6	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.WSMan.Management.dll
f7da27672d2e4c21a1f996ee31de0dbf	c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.WSMan.Runtime.dll
4d8ab4fad244f7985d8c59d456e026d7	c:\WINDOWS\system32\WindowsPowerShell\v1.0\System.Management.Automation.dll
2286b57ecc2d32d24049c51989084268	c:\WINDOWS\system32\WindowsPowerShell\v1.0\System.Management.Automation.resources.dll
df4217ddb34a0b73dc7aac7829371c0c	c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
fe7bc06af17d7cd8fb8e6d72d72453b8	c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui
95b7f12a557dedac5e4a1e9afa5e73ab	c:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll
a94243b797377ba03b63fc716c13bcf5	c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
7943a80f1a6fd37969aacd411b511f91	c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll
2c9c9ae86eb2b4e78c8e09deb7509a63	c:\WINDOWS\system32\WsmAuto.dll
67146d3606be1111a39f0fd61f47e9b6	c:\WINDOWS\system32\WsmRes.dll
18f347402da544a780949b8fdf83351b	c:\WINDOWS\system32\WsmSvc.dll
296e6992278fea7140d88b603e6c2a8a	c:\WINDOWS\system32\WsmWmiPl.dll
84e025b1259c66315f4d45a6caecacc9	c:\WINDOWS\system32\wevtfwd.dll
cd17705af8e53a82facb545a213ab09c	c:\WINDOWS\system32\winrmprov.dll
afdf7654880ce23005014895b129d948	c:\WINDOWS\system32\winrs.exe
3e9b11880ae4a8ff399ce0573c82655b	c:\WINDOWS\system32\winrscmd.dll
62021e3e6ba13d72cf5cc1047cfac991	c:\WINDOWS\system32\winrshost.exe
b84092e52861a026fc83bcede4a7abfa	c:\WINDOWS\system32\winrsmgr.dll
35bc7c49676e5ab617ef94dc9854a6f1	c:\WINDOWS\system32\winrssrv.dll
972916faac89c4aa978952b30f478e81	c:\WINDOWS\system32\wsmanhttpconfig.exe
23ce21efc2ae95700f2b1f9582fe3867	c:\WINDOWS\system32\wsmplpxy.dll
faa2fcc6853e5123e05dccc5919657e2	c:\WINDOWS\system32\wsmprovhost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	34713	36864	4.40206	6db25a3f1fdb74aab3deb24026d0466a
.rdata	40960	8410	12288	2.55633	ab1740cf996f89e12b73d11b0cdecb25
.data	53248	10460609	24576	1.01396	156abe12512051ed72f706c052049be3
.rsrc	10514432	246384	249856	5.51269	adc84c147f55008d94134d61b06d2ae4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
f7fb14f51fe992947fcdf83221ef22e6

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

svchost.exe_168:

.idata

.reloc

P.rsrc

Portions Copyright (c) 1983,99 Borland

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}

try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {jwplayer().play()} catch(e){}

PSAPI.dll

setcpu:

:setcpu

HTTP/1.1

.length;

 =String.fromCharCode(parseInt(

.substr(

,2),16));

 =String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt());

.length-1)?

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Run("

=new ActiveXObject("WScript.Shell");

.RegRead("

wininet.dll

user32.dll

ntdll.dll

psapi.dll

"svchost.exe"

svchost.exe

ole32.dll

Kernel32.dll

\\.\LCD

1234567890

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

hXXp://

0123456789

Mozilla

?456789:;<=

!"#$%&'()* ,-./0123

.text

`.rdata

@.pdata

KERNEL32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyA

GetCPInfo

SetProcessWindowStation

OpenWindowStationA

EnumChildWindows

NtQueryValueKey

NtDeleteValueKey

NtSetValueKey

HttpSendRequestA

HttpOpenRequestA

atl.dll

wsock32.dll

shell32.dll

ShellExecuteExW

wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

winmm.dll

urlmon.dll

UrlMkSetSessionOption

<%<*<;<@<

:!:%:):-:1:

?:???_?}?

4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc

.Default

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

svchost.exe

explorer.exe

66006666

.Method '%s' not supported by automation object/Variant does not reference an automation object

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

c:\%original file name%.exe path<<c:\%original file name%.exe>>path

svchost.exe_168_rwx_00090000_000B2000:

.idata

.reloc

P.rsrc

Portions Copyright (c) 1983,99 Borland

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}

try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {jwplayer().play()} catch(e){}

PSAPI.dll

setcpu:

:setcpu

HTTP/1.1

.length;

 =String.fromCharCode(parseInt(

.substr(

,2),16));

 =String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt());

.length-1)?

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Run("

=new ActiveXObject("WScript.Shell");

.RegRead("

wininet.dll

user32.dll

ntdll.dll

psapi.dll

"svchost.exe"

svchost.exe

ole32.dll

Kernel32.dll

\\.\LCD

1234567890

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

hXXp://

0123456789

Mozilla

?456789:;<=

!"#$%&'()* ,-./0123

.text

`.rdata

@.pdata

KERNEL32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyA

GetCPInfo

SetProcessWindowStation

OpenWindowStationA

EnumChildWindows

NtQueryValueKey

NtDeleteValueKey

NtSetValueKey

HttpSendRequestA

HttpOpenRequestA

atl.dll

wsock32.dll

shell32.dll

ShellExecuteExW

wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

winmm.dll

urlmon.dll

UrlMkSetSessionOption

<%<*<;<@<

:!:%:):-:1:

?:???_?}?

4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc

.Default

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

svchost.exe

explorer.exe

66006666

.Method '%s' not supported by automation object/Variant does not reference an automation object

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

c:\%original file name%.exe path<<c:\%original file name%.exe>>path

svchost.exe_168_rwx_01000000_00006000:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_272:

.idata

.reloc

P.rsrc

Portions Copyright (c) 1983,99 Borland

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}

try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {jwplayer().play()} catch(e){}

PSAPI.dll

setcpu:

:setcpu

HTTP/1.1

.length;

 =String.fromCharCode(parseInt(

.substr(

,2),16));

 =String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt());

.length-1)?

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Run("

=new ActiveXObject("WScript.Shell");

.RegRead("

wininet.dll

user32.dll

ntdll.dll

psapi.dll

"svchost.exe"

svchost.exe

ole32.dll

Kernel32.dll

\\.\LCD

1234567890

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

hXXp://

0123456789

Mozilla

?456789:;<=

!"#$%&'()* ,-./0123

.text

`.rdata

@.pdata

KERNEL32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyA

GetCPInfo

SetProcessWindowStation

OpenWindowStationA

EnumChildWindows

NtQueryValueKey

NtDeleteValueKey

NtSetValueKey

HttpSendRequestA

HttpOpenRequestA

atl.dll

wsock32.dll

shell32.dll

ShellExecuteExW

wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

winmm.dll

urlmon.dll

UrlMkSetSessionOption

<%<*<;<@<

:!:%:):-:1:

?:???_?}?

4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD5

.Default

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

svchost.exe

explorer.exe

66006666

.Method '%s' not supported by automation object/Variant does not reference an automation object

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

svchost.exe_372:

.idata

.reloc

P.rsrc

Portions Copyright (c) 1983,99 Borland

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}

try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {jwplayer().play()} catch(e){}

PSAPI.dll

setcpu:

:setcpu

HTTP/1.1

.length;

 =String.fromCharCode(parseInt(

.substr(

,2),16));

 =String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt());

.length-1)?

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Run("

=new ActiveXObject("WScript.Shell");

.RegRead("

wininet.dll

user32.dll

ntdll.dll

psapi.dll

"svchost.exe"

svchost.exe

ole32.dll

Kernel32.dll

\\.\LCD

1234567890

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

hXXp://

0123456789

Mozilla

?456789:;<=

!"#$%&'()* ,-./0123

.text

`.rdata

@.pdata

KERNEL32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyA

GetCPInfo

SetProcessWindowStation

OpenWindowStationA

EnumChildWindows

NtQueryValueKey

NtDeleteValueKey

NtSetValueKey

HttpSendRequestA

HttpOpenRequestA

atl.dll

wsock32.dll

shell32.dll

ShellExecuteExW

wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

winmm.dll

urlmon.dll

UrlMkSetSessionOption

<%<*<;<@<

:!:%:):-:1:

?:???_?}?

4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2

.Default

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

svchost.exe

explorer.exe

66006666

.Method '%s' not supported by automation object/Variant does not reference an automation object

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

svchost.exe_272_rwx_00080000_000B2000:

.idata

.reloc

P.rsrc

Portions Copyright (c) 1983,99 Borland

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}

try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {jwplayer().play()} catch(e){}

PSAPI.dll

setcpu:

:setcpu

HTTP/1.1

.length;

 =String.fromCharCode(parseInt(

.substr(

,2),16));

 =String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt());

.length-1)?

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Run("

=new ActiveXObject("WScript.Shell");

.RegRead("

wininet.dll

user32.dll

ntdll.dll

psapi.dll

"svchost.exe"

svchost.exe

ole32.dll

Kernel32.dll

\\.\LCD

1234567890

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

hXXp://

0123456789

Mozilla

?456789:;<=

!"#$%&'()* ,-./0123

.text

`.rdata

@.pdata

KERNEL32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyA

GetCPInfo

SetProcessWindowStation

OpenWindowStationA

EnumChildWindows

NtQueryValueKey

NtDeleteValueKey

NtSetValueKey

HttpSendRequestA

HttpOpenRequestA

atl.dll

wsock32.dll

shell32.dll

ShellExecuteExW

wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

winmm.dll

urlmon.dll

UrlMkSetSessionOption

<%<*<;<@<

:!:%:):-:1:

?:???_?}?

4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD5

.Default

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

svchost.exe

explorer.exe

66006666

.Method '%s' not supported by automation object/Variant does not reference an automation object

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

svchost.exe_272_rwx_01000000_00006000:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_372_rwx_00080000_000B2000:

.idata

.reloc

P.rsrc

Portions Copyright (c) 1983,99 Borland

kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

URLMON.DLL

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}

try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}

try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}

try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}

try {jwplayer().play()} catch(e){}

PSAPI.dll

setcpu:

:setcpu

HTTP/1.1

.length;

 =String.fromCharCode(parseInt(

.substr(

,2),16));

 =String.fromCharCode(

,1).charCodeAt()^

,1).charCodeAt());

.length-1)?

=new ActiveXObject("WScript.Shell");

.Environment("Process"))("

.Run("

=new ActiveXObject("WScript.Shell");

.RegRead("

wininet.dll

user32.dll

ntdll.dll

psapi.dll

"svchost.exe"

svchost.exe

ole32.dll

Kernel32.dll

\\.\LCD

1234567890

Shell32.dll

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

hXXp://

0123456789

Mozilla

?456789:;<=

!"#$%&'()* ,-./0123

.text

`.rdata

@.pdata

KERNEL32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyA

GetCPInfo

SetProcessWindowStation

OpenWindowStationA

EnumChildWindows

NtQueryValueKey

NtDeleteValueKey

NtSetValueKey

HttpSendRequestA

HttpOpenRequestA

atl.dll

wsock32.dll

shell32.dll

ShellExecuteExW

wtsapi32.dll

Wtsapi32.dll

PSAPI.DLL

winmm.dll

urlmon.dll

UrlMkSetSessionOption

<%<*<;<@<

:!:%:):-:1:

?:???_?}?

4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2

.Default

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

svchost.exe

explorer.exe

66006666

.Method '%s' not supported by automation object/Variant does not reference an automation object

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

svchost.exe_372_rwx_01000000_00006000:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

update.exe_1196:

.text

`.data

.rsrc

testroot.cer install failed 0x%lx

InstallOrRemoveTestCertificate: Failed to get FPs to MapFile

InstallOrRemoveTestCertificate: GetWindowsDirectory failed: 0x%lx

InstallOrRemoveTestCertificate: Allocation failed for CryptDataBlob.pbData

InstallOrRemoveTestCertificate: CertAddCertificateContextToStore failed: 0x%lx

InstallOrRemoveTestCertificate: CertSetCertificateContextProperty failed: 0x%lx

InstallOrRemoveTestCertificate: CertOpenStore failed: 0x%lx

InstallOrRemoveTestCertificate: CertCreateCertificateContext failed: 0x%lx

InstallOrRemoveTestCertificate: SetupDecompressOrCopyFile failed: 0x%lx

InstallOrRemoveTestCertificate: fnSetupOpenAndMapFileForRead failed: 0x%lx

d_.tmp%

InstallOrRemoveTestCertificate: LoadLibrary for SetupApi.dll failed: 0x%lx

SetupApi.DLL

1.3.6.1.4.1.311.10.3.6

1.3.6.1.4.1.311.10.3.5

1.3.6.1.5.5.7.3.3

new\testroot.ce*

testroot.ce*

%s_%d: Cannot install service pack on Data Center Server

%s_%d: Failed to get product build type.

shdocvw.dll

IsMTS2Installed: RegQueryValueEx for %s failed: 0x%lx

UpdateCopyFlags: Invalid Copy Flag : %s

CheckRegistryValue: RegOpenKeyEx for %s KeyName failed :0x%lx

%s: %s: failed (%u/0x%x)

ReadStringFromInf: UpdSpOpenInfFile for %s failed: 0x%lx

ReadStringFromInfW: UpdSpOpenInfFile for %s failed: 0x%lx

spuninst.exe

%d/%d/%d

RegisterServicePackInRegistry: RegCreateKeyEx for %s failed: 0x%lx

%s\SP%d\%s

CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}

CleanupTrustedInfFile: GetFileAttributes for %s failed: 0x%lx

pRegistryDelnodeWorker: RegOpenKeyEx for %s failed:0x%lx

%d.%d.%d.%d

Failed to create process %s with error 0x%lx

ExpandEnvironmentStrings failed for %s with error 0x%lx

LaunchNotepadPrinter: GetGenericString for %s failed

Software\Classes\%s\shell\print\command

LaunchNotepadPrinter: GetGenericString for Software\Classes\.txt failed

Software\Classes\.txt

Software\Classes\%s\shell\open\command

LaunchNotepadReadme: GetGenericString for Software\Classes\.htm failed

Software\Classes\.htm

Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40

ResetKeySecurity:AllocateAndInitializeSid failed :0x%lx

SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

Software\Microsoft\Windows\CurrentVersion\Setup

ListHotfixes:RegOpenKeyEx for SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\ failed :0x%lx

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\

%s\SP%s\%s\Filelist

regsvr32 /s %s

Registrations.System32

GLE = %d

\spuninst\spuninst.exe

GetOldUninstDir: RegOpenKeyEx failed :0x%lx

Software\Microsoft\Windows\CurrentVersion\Uninstall\%s

Software\Microsoft\Windows\CurrentVersion\Uninstall

Target File Size Mismatch: %s, ExpectedSize = x, ActualSize = x

VerifySize: Unable to obtain Target file size: %s

VerifyTargetFileSize: Skip size verification for locally build file %s

VerifyTargetFileSize: Skip size verification for cached source file %s

VerifyTargetFileSize: Unable to verify size as Source = NULL for file %s

DoPreDeletes(): Error 0xlX deleting %s

RegisterHotpatchTargetPeersForNoDelay: AddSpecialFileNode failed for %s; error=0xlx.

QueueHotpatchTargets: UpdSpQueueCopy failed for %s -> %s; error=0xlx.

AtomicReplaceFile: Calling HpReplaceSystemModule( %s, %s, %s, %s ).

_d_.tmp

HpApplyHotPatch: Apply failed for process %s with pid %lu; status=0xlx, location=%lu.

HpApplyHotPatch: Apply succeeded for process %s with pid %lu; status=0xlx, location=%lu.

ApplyHotpatches: Unable to register hotpatch of %s; hotpatch application treated as failure.

ApplyHotpatches: Failed to add value to SOFTWARE\Microsoft\Updates key.

ApplyHotpatches: Failed to open %s key.

ApplyHotpatches: Calling HpApplyHotPatch( %s, %s, 0xlx, 0x%p ).

ApplyHotpatches: %s was not atomically replaced; skipping apply.

ApplyHotpatches: %s was delayed; skipping apply.

ApplyHotpatches: %s was not copied; skipping apply.

ApplyHotpatches: Hotpatch source=%s,target=%s applies to target %s...

IsRebootRequiredForFileQueue: %s was hotpatched since last boot; reboot is required.

IsRebootRequiredForFileQueue: %s was delayed; reboot is required.

IsRebootRequiredForFileQueue: %s was no-delay replaced; reboot is required.

IsRebootRequiredForFileQueue: Hotpatch for %s was not applied; reboot is required.

IsRebootRequiredForFileQueue: %s was atomically replaced and had no hotpatch; reboot is required.

IsRebootRequiredForFileQueue: %s copy method unknown; reboot is required.

IsRebootRequiredForFileQueue: At least one file operation was delayed; reboot is required.

Failed To Copy File %s error = 0x%lx

Failed To Move File %s error = 0x%lx

GetTempFileName for File %s Failed error 0x%lx

File resulted in exception %s

Device files %s has SKIP flag

ExConditionalRunInfProcesses: Error 0x%lx while running processes in section '%s.'

ExConditionalRunInfProcesses: Error 0x%lx while queuing processes in section '%s.'

ExConditionalProcessShortcutOperations: Error 0x%lx while trying to create shortcuts from section '%s'.

ExConditionalProcessCatalogOperations: Error 0x%lx while trying to queue catalogs from section '%s'.

ExConditionalProcessCatalogOperations: Error 0x%lx while trying to install catalogs from section '%s'.

ExConditionalProcessCatalogOperations: Error 0x%lx while trying to delete catalogs from section '%s'.

AddExConditionalRegOperations: Error 0x%lx loading section %s

ExConditionalProcessFileOperations: Error 0x%lx loading section %s

ExConditionalLoadQueue: Section %s: '%s' is not a valid operation type.

ExConditionalLoadQueue: Fatal error, section '%s' was not defined in [ExtendedConditional.Declare]

ExConditionalLoadQueue: Section %s: Line %d is missing target section.

ExConditionalLoadQueue: Section %s: Line %d is missing Operation type.

ExConditionalLoadQueue: Operation type %s does not match declared type of section %s.

ExConditionalLoadQueue: Section %s: Unable to choose correct condition file queue.

ExConditionalProcessSection: Error reading line %d of section %s.

ExConditionalProcessSection: Required section '%s' is not present in INF.

ExConditionalProcessSection: Error %s is not a supported operation type.

ArchiveOperation

ProcessOperation

CatalogOperation

ShortcutOperation

RegOperation

FileOperation

ExConditionalEvaluateSection: Condition in section %s was not met %s will not be processed.

ExConditionalEvaluateSection: Syntax error in 'Condition' key of section %s.

ExConditionalEvaluateSection: Required section '%s' is not present in INF.

ExConditionalEvaluateSection: Section %s missing required value for 'ConditionalOperations'.

ExConditionalEvaluateSection: Section %s missing required key 'ConditionalOperations'.

ConditionalOperations

ExConditionalEvaluateSection: Section %s missing required key 'Condition'.

ExConditionalEnumerateSections: Required section '%s' is not present in INF.

ExConditionalEnumerateSections: Line %d is missing target section value.

pGetDynamicPath:ExpandEnvironmentStrings failed while processing %s with 0x%lx

pGetDynamicPath: Hit exception 0x%lx while calling %s:%s

pGetDynamicPath: GetProcAddress for %s failed: 0x%lx

pGetDynamicPath: LoadLibrary for %s failed: 0x%lx

%s.%d: Failed to set file attributes to saved attributes with error %d

%s.%d: Failed to write to file %s with error %d

%s=%s%s$,%s%s_%c$

%s.%d: Failed to build string with error 0X%x

%s.%d: Failed to set file pointer %s with error %d

%s.%d: Failed to open file %s with error %d

%s.%d: Failed to set file attributes to normal with error %d

%s.%d: Failed to get file attributes with error %d

%s.%d: Failed to allocate a buffer from heap with error %d

%s.%d: Failed to get process heap handle with error %d

HAL.EXCLUSIONS

ArchiveOldHotfixRegistryInfo: Allocation failed for KeyBuffer

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix

%s (0x%lx)

%s %s

Files.SystemPartition

Files.WinNt

SetDynamicDirectoryId: failed for %d to set path to %s

Failed to set Dir Id Path for %d with error 0x%lx

SetDynamicDirectoryId:GetFileAttributes for %s failed : STATUS_INVALID_INSTALL_PATH

%s: Failure while generating dynamic path, 0x%1x

SetExConditionalFlags: Error parsing string %s.

SetExConditionalFlags: Error converting %s into flag.

InstallFromFunction call in inf section "%s" failed with error 0x%lx .

CustomizeInstallFromSection: LoadLibrary for %s failed: 0x%lx

CustomizeInstallFromSection: GetProcAddress for %s failed: 0x%lx

CustomizeInstallFromSection: Exceptions happened in calling %s!%s

GetDynamicDirIdPath: No DirId found for: %s

%s: Malformed registry identifier in [%s] for InstallPathRegistry

InstallPathRegistryKey

Conditional load of section %s succeeded

IncludeConditionalChangesFromInfSection: UpdSpFindFirstLine for Operation failed: 0x%lx

IncludeConditionalChangesFromInfSection: UpdSpGetStringField for %s failed: 0x%lx

IncludeConditionalChangesFromInfSection: LoadLibrary for %s failed: 0x%lx

IncludeConditionalChangesFromInfSection: GetProcAddress for %s failed: 0x%lx

Failed to load %s from %s

IncludeConditionalChangesFromInfSection: UpdSpGetIntField failed to retrieve int value from: %s, Error: 0x%lx

IncludeConditionalChangesFromInfSection: UpdSpGetStringField failed to retrieve String value from: %s, Error: 0x%lx

IncludeConditionalChangesFromInfSection: UpdSpGetBinaryField failed. Error:%d

IncludeConditionalChangesFromInfSection: UpdSpGetBinaryField failed to retrieve Binary value from: %s, Error: 0x%lx

Operation

Register.Include

Strings.Install

DeRegisterUninstallProgramInInf: UpdSpOpenInfFile for %s failed: 0x%lx

spuninst.inf

DeleteOldHotfixRegistryInfo:Allocation failed for KeyBuffer

DeleteOldHotfixRegistryInfo: RegOpenKeyEx for %s failed: 0x%lx

SP AppPatch version text is %s

apcompat.addreg.full

CreateMIFFile:LoadLibrary for ismif32.dll failed :0x%lx

%s %s

ismif32.dll

MyCopyFile: Copy of %s to %s failed (error=0xx); Retries exhausted.

MyCopyFile: Copy of %s to %s failed (error=0xx); Retrying...

MyCopyFile: failed to EnsureDirectoryForFile(%s), error %u

UpdSpDecompressOrCopyFile retries failed: %s

UpdSpDecompressOrCopyFile error: %s, Error = x

MyCopyFileThroughTempFile: Failed to PRF %s to %s

MyCopyFileThroughTempFile: Failed to copy back tempTargetFile %s to pszNewTarget %s

MyCopyFileThroughTempFile: PFR %s to %s

MyCopyFileThroughTempFile: CopyFile Failed to copy %s to %s with error 0x%lx

MyCopyFileThroughTempFile: Tried to schedule a PFR delete %s

Copied %s to %s via %s

Copied File: %s

MyCopyFileWithRetryThroughTempFile: failed to EnsureDirectoryForFile(%s), error %u

MyCopyFileWithRetryThroughTempFile: pcszSouce = %s,

pcszTarget = %s,

fDecompress = %s,

pszNewTarget = %s,

pbDelayed = %s,

bForceInUse = %s

MyCopyFileWithRetryAndCancel: failed to EnsureDirectoryForFile(%s), error %u

LoadBranchesInf: Branch %s has unresolved parent; %s is invalid.

LoadBranchesInf: Circular reference detected for branch %s; %s is invalid.

LoadBranchesInf: Missing parent branch name for branch %s; %s is invalid.

LoadBranchesInf: Missing display name for %s; %s is invalid.

LoadBranchesInf: Duplicate definition of branch %s; %s is invalid.

LoadBranchesInf: Missing branch name; %s is invalid.

LoadBranchesInf: Error opening %s; error=0xlx.

LoadBranchesInf: BrInitialize() failed with inf %s; error=0xx, line=%u.

LoadOrInstallBranchesInf: BRANCHES_INF_OP_LOAD: Loading %s ...

LoadOrInstallBranchesInf: BRANCHES_INF_OP_INSTALL: Copying %s -> %s ...

LoadOrInstallBranchesInf: Got unknown operation code.

LoadOrInstallBranchesInf: Using %s.

LoadOrInstallBranchesInf: No branches.inf found..

LoadOrInstallBranchesInf: Source branches.inf does not exist; using target.

LoadOrInstallBranchesInf: Target branches.inf does not exist; using source.

LoadOrInstallBranchesInf: One or both of source and target branches.inf do not have versions; using source.

LoadOrInstallBranchesInf: Target branches.inf is newer; using target.

LoadOrInstallBranchesInf: Source branches.inf is newer; using source.

inf\branches.inf

update\branches.inf

LoadUpdateBrInf: Missing inf name for branch %s in SourceInfsBranches; %s is invalid.

LoadUpdateBrInf: Duplicate definition of inf name for branch %s in SourceInfsBranches; %s is invalid.

LoadUpdateBrInf: Branch %s not defined in SourceInfsBranches; %s is invalid.

LoadUpdateBrInf: Missing branch name in SourceInfsBranches; %s is invalid.

LoadUpdateBrInf: Branch %s not defined in DefaultBranchesServicePacks; %s is invalid.

LoadUpdateBrInf: Missing default branch name for SP# %lu in DefaultBranchesServicePacks; %s is invalid.

LoadUpdateBrInf: Duplicate definition of default branch for SP# %lu in DefaultBranchesServicePacks; %s is invalid.

LoadUpdateBrInf: SP# %lu out of range (0-255) in DefaultBranchesServicePacks; %s is invalid.

LoadUpdateBrInf: Missing SP# in DefaultBranchesServicePacks; %s is invalid.

DefaultBranchesServicePacks.WinNt%u%u

LoadUpdateBrInf: Error opening %s; error=0xlx.

LoadUpdateBrInf: updatebr.inf does not exist; nothing to do.

update\updatebr.inf

MyGetFileVersionEx: Exeception hit in VerQueryValueA 0xlx

QueueMigrationStageFiles: Error creating directory %s; error=0xlx.

QueueMigrationStageFiles: Error opening %s; error=0xlx.

QueueMigrationStageFiles: Missing inf %s for branch %s.

QueueMigrationStageFiles: Error queueing SourceDisksFiles from %s; error=0xlx.

ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: MyCopyWithRetryAndCancel failed for %s -> %s; Error=0x%lx.

ProcessSetupContentSection: Missing source file %s.

ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_ARCHIVE: ArchiveFileForUninstall failed for %s; Result=0x%lx.

ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied %s -> %s.

ProcessSetupContentForMigration: ProcessSetupContentSection failed for SetupFiles.Common; Error=0x%lx.

SetupFiles.Common

ProcessSetupContentForMigration: ProcessSetupContentSection failed for %s; Error=0x%lx.

SetupFiles.%s

IsClassDllCopied: component %s: no target %s

IsClassDllCopied: no source component %s

pGetDynamicDirIdInformation: Dynamic Path operation unknown or missing.

ExConditionalProcessArchiveOperations: Error 0x%lx while queuing registry keys from section '%s' for uninstall.

ExConditionalProcessArchiveOperations: Error 0x%lx while trying to archive catalogs from section '%s'.

ExConditionalProcessArchiveOperations: Error 0x%lx while copying section %s to the uninstall inf.

update.url PatchSigFlags: 0xX

%s: update.url absent

update\update.url

InitInst: UpdSpOpenInfFile for %s failed: 0x%lx

InitInst: Using inf %s.

InitInst: Inf file %s not found.

InitInst: g_BranchAware=%s.

update\update.inf

InitInst: Using branch %s.

InitInst: No inf for branch %s specified on command line.

empty.cat

szSFXSourcePath = %s

_SFX_CAB_EXE_PATH = %s

_SFX_CAB_EXE_PATH

InitInst: Cannot find \update\update.exe file

\update\update.exe

repair\setup.log

ProductInstall.MultiprocessorFiles

ntkrnlmp.exe

ProductInstall.UniprocessorFiles

ntoskrnl.exe

IsThisAnOEMFile: FFileFound failed for %s :STATUS_SETUP_LOG_NOT_FOUND

FPNW.DLL

FPNWSRV.SYS

AddCustomInfoToSpuninstInf: Invalid data found in %s: %s

AddCustomInfoToSpuninstInf: Could not find %s

SpuninstExtra%d

AddCustomInfoToSpuninstInf: Invalid NumSpuninstExtras in CustomStringTable: %d

COPY "%s" "%s"

%s\spuninst\spuninst.tag

COPY "%s\%s" "%s\%s"

.restore.files

DEL "%s\%s"

.delete.files

UninstallationType = "%s"

UnInstallLogFileName = "%s"

EventLogKeyName = "%s"

ProductName = "%s"

CustomizationDll = "%s"

WaitTimeForServiceStop = %d

OverwriteThirdParty = %d

RestartDevice = %d

ServiceFileInUseDetect = "%d"

Strings.Uninstall

UninstallSections.PRE.SP

InitializeMasterSpuninstInf: ExConditionalProcessArchiveOperations: ARCHIVE_OP_REG failed with error 0x%lx

ProcessesToRunAfterUninstallReboot.RebootNotRequired

ProcessesToRunAfterReboot.RebootNotRequired

inf\iis.tmp

inf\iis.inf

iis.in_

iis.inf

il\iis.inf

id\iis.inf

iw\iis.inf

ib\iis.inf

ia\iis.inf

is\iis.inf

ip\iis.inf

[AppPatch.Exclusions]

%s,"%s",,"%s"

[Reg.Delete.Values]

%s,"%s","%s","%s",%d,%d

[Reg.Restore.Values]

%s,"%s"

[Reg.Delete.Keys]

%s,"%s","%s",%s

[Reg.Restore.Keys]

%s,,,8

[RestoreFiles.NoDelay]

DelFiles = "%s"

CopyFiles = "%s"

.nodelay

0, "%s"

10, "%s"

%lu, "%s"

.restore.files.nodelay

"%s" =

Signature = "$Windows NT$"

NtServicePackVersion = %d

NtServicePackVersionText = "%s"

NtServicePackVersionFullText = "%s"

NtServicePackPreviousVersion = %d

NtServicePackPreviousVersionText = "%s"

DisplayTitle = "%s"

SP_TITLE = "%s"

RebootRequired = %d

1 = "Windows NT Service Pack Uninstall Directory"

IEVersion = "%s"

0.0.0.0

[SnapShot.Install]

AddCustomInfoToARP: Could not write %s,%s: 0x%lx

AddCustomInfoToARP: Invalid data found in %s: %s,

AddCustomInfoToARP: Invalid data found in %s: %s

AddCustomInfoToARP: Could not find %s

ARPExtra%d

AddCustomInfoToARP: Invalid NumARPExtras in CustomStringTable: %d

Registering Uninstall Program for -> %s, %s , 0x%lx

RegisterUninstallProgram: RegCreateKeyEx failed: 0x%lx

RegisterUninstallProgram: RegCreateKeyEx for %s failed: 0x%lx

URLInfoAbout

RegisterUninstallProgram: Set InstallDate call NtQuerySystemTime failed with error 0x%x

RegisterUninstallProgram: Set InstallDate call StringCchPrintf failed with error 0x%x

RegisterUninstallProgram: Set InstallDate call StringCchLength failed with error 0x%x

RegisterUninstallProgram: Set InstallDate call RegSetValueEx failed with error %u

%ddd

MainQueueCallback: SPFILENOTIFY_FILEOPDELAYED: Delayed delete of %s.

Failed to write %s to sprecovr.txt, Error 0x%lx

DEL "%s"

Begin: SPFILENOTIFY_FILEOPDELAYED: source %s, target %s

Begin: SPFILENOTIFY_STARTDELETE: %s

Begin: SPFILENOTIFY_STARTRENAME: %s

MainQueueCallback: MyCopyFileWithRetryThroughTempFile failed to copy file %s with Error %u

%s = %s

Failed To Write %s: error 0xlx

MainQueue: component %s: not present

MainQueue: component %s: no disposition for target %s

MainQueue: component %s: no target %s

MainQueue: no source component %s

MainQueue: bad path on %s

Begin: SPFILENOTIFY_STARTCOPY: %s

RegisterSpEventSource: RegSetValueEx for TypesSupported failed: 0x%lx

TypesSupported

%%SystemRoot%%\System32\%s

System\CurrentControlSet\Services\EventLog\System\%s

RegisterSpEventSource: spmsg.dll not found

ArchiveRegistryNode: RegSaveKey for %s failed: 0x%lx

ArchiveRegistryNode: RegQueryValueEx for %s failed: 0x%lx

ArchiveRegistryNode: RegQueryInfoKey failed: 0x%lx

DeclareDynamicDirectoryId: Syntax error, no InstallSection found in %s.

DeclareDynamicDirectoryId: Unable to verify that DIRID#%d is set to %s.

DeclareDynamicDirectoryId: Section %s is set to path %s

DeclareDynamicDirectoryId: Path set by UpdSpGetTargetPath does not match %s.

DeclareDynamicDirectoryId: Syntax error, unable to retrieve DirID info from %s.

DeclareDynamicDirectoryId: Syntax error, no declared DIRID in %s

DeclareDynamicDirectoryId: Unable to retrieve path for DIRID#%d

DeclareDynamicDirectoryId: NULL path for DIRID#%d

IncludeDirectoryIdFromInfSection: No DirId found for: %s

DirectoryId.Include

ProductInstall.Conditional

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Policies\Microsoft\Windows NT\Windows File Protection

ExConditionalInitializeSections: Section %s: %s did not resolve to valid flags.

ExConditionalInitializeSections: Section %s: ExecuteStage %s is not a defined stage.

EXECUTE_BEFOREREGOPERATIONS

ExConditionalInitializeSections: Section %s: Missing required key 'ExecutionPhase'.

ExConditionalInitializeSections: Section %s: Flag '%s' does not evaluate to known copy flags.

ExConditionalInitializeSections: Section %s: Missing required key 'Flags'.

ExConditionalInitializeSections: Section %s: Did not set Dynamic DirID.

ExConditionalInitializeSections: Section %s: Missing required key 'OperationType'.

ExConditionalInitializeSections: Section %s: OperationType %s is not a defined operation.

OperationType

ExConditionalInitializeSections: Required section '%s' is not present in INF.

ExConditionalInitializeSections: Section %s: Missing required key 'InstallSection'.

ExConditionalDeclareSections: Section %s: Error 0x%lx while reading line %d.

ExConditionalDeclareSections: Fatal error while declaring section %s.

regd

LoadFileQueues: Error 0x%lx while trying to load extended conditional file operations.

LoadFileQueues: UpdSpInstallFilesFromInfSection for %s failed: 0x%lx

IISSection.CopyFilesAlways

ProductInstall.CopyFilesAlways

ProductInstall.ReplaceFilesIfExist

ProductInstall.CopyFilesAlways.DontDelayUntilReboot

ProductInstall.DontDelayUntilReboot

LoadFileQueues: UpdSpGetSourceFileLocation for %s failed: 0x%lx

LoadFileQueues: UpdSpQueueCopy for %s failed: 0x%lx

HAL.DLL

LoadFileQueues: UpdSpGetSourceInfo for %s failed: 0x%lx

(free = %I64u, add = %u, overwrite = %u, recover = %u, uninstall = %u)

w/ Uninstall, drive %c: %I64uKB free now, %uKB required to install, %uKB peak required during install, %I64dKB free minimum, %I64dKB free after.

w/ Uninstall, share %s: %I64uKB free now, %uKB required to install, %uKB peak required during install, %I64dKB free minimum, %I64dKB free after.

w/o Uninstall, drive %c: %I64uKB free now, %uKB required to install, %uKB peak required during install, %I64dKB free minimum, %I64dKB free after.

w/o Uninstall, share %s: %I64uKB free now, %uKB required to install, %uKB peak required during install, %I64dKB free minimum, %I64dKB free after.

r ej exporteras

o para exporta

csak USA/Kanada, nem export

tats-Unis/Canada uniquement, exportation non autoris

lo EE.UU. y Canad

, no para exportar

eno pro export

exporta

tylko Stany Zjednoczone i Kanada, nie na eksport

bare USA/Canada, ikke for eksport

Alleen voor V.S. en Canada. Niet bestemd voor export

solo USA e Canada, non per esportazione

US/Canada Only, Not for Export

NonPEFiles.Inclusions

NonPEFiles.Exclusions

LoadHotpatchTargetDirs: [HotpatchTargetDirs] invalid section name on line %u; inf is invalid.

LoadHotpatchTargetDirs: [HotpatchTargetDirs] missing section name on line %u; inf is invalid.

\StringFileInfo\xx\FileDescription

\encinst.exe

%s: %s( %s ) failed (%u)

update\update.ver

LoadHotpatchSourceInfo: [HotpatchSourceInfo] duplicate source name on line %u; inf is invalid.

LoadHotpatchSourceInfo: [HotpatchSourceInfo] invalid source name on line %u; inf is invalid.

LoadHotpatchSourceInfo: [HotpatchSourceInfo] missing source name on line %u; inf is invalid.

LoadHotpatchSourceInfo: [HotpatchSourceInfo] flags not specified on line %u; assuming zero.

LoadHotpatchSourceInfo: [HotpatchSourceInfo] invalid flags on line %u; inf is invalid.

LoadHotpatchTargetInfo: [HotpatchTargetInfo] duplicate MD5 hash on line %u; inf is invalid.

LoadHotpatchTargetInfo: [HotpatchTargetInfo] invalid MD5 hash on line %u; inf is invalid.

LoadHotpatchTargetInfo: [HotpatchTargetInfo] missing MD5 hash on line %u; inf is invalid.

LoadHotpatchTargetInfo: [HotpatchTargetInfo] non-hotpatch hotpatch source name on line %u; inf is invalid.

LoadHotpatchTargetInfo: [HotpatchTargetInfo] invalid hotpatch source name on line %u; inf is invalid.

LoadHotpatchTargetInfo: [HotpatchTargetInfo] missing hotpatch source name on line %u; inf is invalid.

LoadHotpatchTargetInfo: [HotpatchTargetInfo] invalid base source name on line %u; inf is invalid.

LoadHotpatchTargetInfo: [HotpatchTargetInfo] missing base source name on line %u; inf is invalid.

Patch candidate "%s" from "%s"

IPDHintSource: %s

HotpatchPeerTarget: %s

FileBranch: %s

(d/d/d d:d:d.d)

FileSize: %u

FullNameInReference: %s

TargetInUse: %s

signature=%s

TargetSignatureValid: %s

TargetHashMatches: %s

TargetHashValid: %s

TargetVersionValid: %s

TargetExists: %s

target=%s flags=%X style=%X

hotpatch=%s applies-to MD5=

alias %s

FileBranch: %s

IPDWaitingChildren=%s

IPDWaitingSiblings=%s

DownloadCandidate=%s

download=%u

PatchSignature: %s

FileSize: %u

HashValid: %s

VersionValid: %s

CompressedPresent: %s

SourcePresent: %s

HotpatchFlags: %X

EffectiveFileName: %s

clone="%s"

source=%s base=%s size=%u flags=%X

WillOurComponentGetInstalled: StringCbCopy failed with error code 0x%x

WillOurComponentGetInstalledEx: StringCbCopy failed with error code 0x%x

Wiz2Proc:CreateFile failed for eula.txt:INVALID_HANDLE_VALUE

eula.txt

spuninst\spuninst.inf

target.lnk

Comctl32.dll

(%d.%d.%d.%d)

PFRTranslateAndGetFileVersion: Failed with error code, 0X%x

PFRTranslateAndGetFileVersion: %s has effective file %s with version %I64u

Deleting File: %s ( incoming is older file )

Deleting File: %s ( incoming is a newer file )

Deleting File: %s ( File on disk is newer than the temp file )

PendingFileRenameOperations

ResolveRegistryReference: ExpandEnvironmentStrings failed with error %u, size %u

ResolveRegistryReference: %s key not found

FNFCIGETOPENINFO: CreateFile for %s file failed with error INVALID_HANDLE_VALUE

No target path name found in [%s] section

No files queued for cabinet %s

Conflicting component %s in [%s]

No [%s] section found in INF

No filelist tag for %s in [%s]

Missing destination dir in [%s]

No %s tag in [%s]

Find or Create the source file node for cabinet %s failed

ref tag %s does not exist

Conflicting filelist tags for %s in [%s]

Cabinet build failed, GLE=0xX

Cabinet build used %u ticks

FCIAddFile() failed: code %d [%s]

MyFCIFlushCabinet() failed: code %d [%s]

Cabinet component %s is zero-length

Cabinet component %s is missing

MyFCICreate() failed: code %d [%s]

Building cabinet "%s"

Cabinet "%s" now exists

MyFDICopy failed: code %d [%s]

IsIntegrationSourceSP: UpdSpOpenInfFile failed to open %s file with error 0x%lx

IsIntegrationSourceSP: Cannot find file %s.

Update.exe return code was masked to 0x%lx for MSI custom action compliance.

Update.exe extended error code = 0x%lx

spuninst.exe /~ -u -z

spuninst.exe /~ -q -z

%s-%s

win51%s

cdrom_%s.5

_SFX_CAB_EXE_PACKAGE

%s: %s

spslpsrm.log

_HFM_EXE_PATH

oMySetRestorePoint: LoadLibrary for SrClient.DLL failed: 0x%lx

filelist.xm*

SrClient.DLL

%s\spool\drivers\%s%s

.d

%s,%s.d

ArchiveFileForUninstall: %s

Drive %c: Need additional %uMB to install, %uMB with uninstall

Share %s: Need additional %uMB to install, %uMB with uninstall

Error: Drive %c: free %uMB req: %uMB w/uninstall %uMB

Error: share %s: free %uMB req: %uMB w/uninstall %uMB

Drive %c: free %uMB req: %uMB w/uninstall: NOT CALCULATED.

Share %s: free %uMB req: %uMB w/uninstall: NOT CALCULATED.

Drive %c: free %uMB req: %uMB w/uninstall %uMB

Share %s: free %uMB req: %uMB w/uninstall %uMB

Drive: %c Free Space=%uMB To Add=%uMB Calculated Slush=%uMB.

MyInstallCatalogFiles: ExConditionalProcessCatalogOperations failed with error 0x%lx.

ProductCatalogsToInstall.IL

ProductCatalogsToInstall.IC

ProductCatalogsToInstall.ID

ProductCatalogsToInstall.IW

ProductCatalogsToInstall.IB

ProductCatalogsToInstall.IA

ProductCatalogsToInstall.IS

ProductCatalogsToInstall.IP

spuninst.exe

RegisterHotfixInRegistry:RegCreateKeyEx for %s Failed: 0x%lx

%s\SP%s\%s

SetProductTypes: InfProductBuildType=%s

BuildType.KNEval

BuildType.KNSel

BuildType.Start

BuildType.Start.MSDN

BuildType.Mnt

BuildType.Evl

BuildType.Sel

BuildType.Selx64pro

ServicePackFiles.IL

ProductInstall.CopyFilesAlways.DontDelayUntilReboot.Business

ProductInstall.CopyFilesAlways.Business

ProductInstall.BusinessFiles

BuildType.WinSB

BuildType.IL

ServicePackFiles.IC

ProductInstall.CopyFilesAlways.DontDelayUntilReboot.Consumer

ProductInstall.CopyFilesAlways.Consumer

ProductInstall.ConsumerFiles

BuildType.IC

ServicePackFiles.IA

ProductInstall.CopyFilesAlways.DontDelayUntilReboot.Advanced

ProductInstall.CopyFilesAlways.Advanced

ProductInstall.AdvancedFiles

BuildType.IA

BuildType.KNIA

ServicePackFiles.IW

ProductInstall.CopyFilesAlways.DontDelayUntilReboot.WindowsPowered

ProductInstall.CopyFilesAlways.WindowsPowered

IISSectionWindowsPowered

ProductInstall.WindowsPoweredFiles

BuildType.IW

ServicePackFiles.IB

ProductInstall.CopyFilesAlways.DontDelayUntilReboot.Blade

ProductInstall.CopyFilesAlways.Blade

ProductInstall.BladeFiles

BuildType.IB

ServicePackFiles.ID

ProductInstall.CopyFilesAlways.DontDelayUntilReboot.Datacenter

ProductInstall.CopyFilesAlways.Datacenter

ProductInstall.DatacenterFiles

BuildType.ID

ServicePackFiles.IS

ProductInstall.CopyFilesAlways.DontDelayUntilReboot.Server

ProductInstall.CopyFilesAlways.Server

ProductInstall.ServerFiles

BuildType.IS

BuildType.KNIS

ServicePackFiles.IP

ProductInstall.CopyFilesAlways.DontDelayUntilReboot.Professional

ProductInstall.CopyFilesAlways.Professional

ProductInstall.ProfessionalFiles

BuildType.IP

DeleteOldSpUninstallDir:GetFileAttributes for %s file Failed: 0x%lx

DeleteOldSpUninstallDir:UpdSpOpenInfFile for %s file Failed: 0x%lx

IsSPBetaKey:PID is not in proper format

IsSPBetaKey:pLA->lpVtbl->GetProductID Failed: 0x%lx

IsSPBetaKey:CoCreateInstance Failed: 0x%lx

IsSPBetaKey:CoInitializeEx Failed: 0x%lx

CheckVLKForBlock: LIC.dll not trust verified

CheckVLKForBlock:LoadLibrary for LIC.dll Failed: 0x%lx

licdll.dll

new\secupd.sig

new\secupd.dat

CheckForMicrosoftKernel:RegOpenKeyEx for SYSTEM\CurrentControlSet\Control failed:0x%lx

IsInfFileTrusted: SetupOpenInfFile for %s failed: 0x%lx

IsInfFileTrusted: UpdSpOpenInfFile for %s Failed: 0x%lx

DisplayName value not found in HKLM\%s key - uninstall is disabled

UninstallString value could not be found in HKLM\%s key

HKLM\%s key could not be opened

Software\Microsoft\Windows\CurrentVersion\Uninstall\

%s could not be launched

Launching %s

SourceFilesURL

InitializeMasterSpuninstInf: CreateFile failed on %s: 0x%lx

InitializeMasterSpuninstInf: WriteFile failed writing to %s: 0x%lx

RebootRequired = %d

1 = "Windows NT %s Uninstall Directory"

Child %s: AddInstanceToMasterSpuninstInf: CreateFile failed on %s: 0x%lx

Child %s: AddInstanceToMasterSpuninstInf: WriteFile failed writing to %s: 0x%lx

AddInstanceToMasterSpuninstInf: Instance %s already exists.

SpawnInstancesForInstall: InstName%d not found in CustomStringTable

InstRetVal%d

SpawnInstancesForInstall: InstRetVal%d = 0x%lx

SpawnInstancesForInstall: Failed to spawn instance %s: 0x%lx

InstParams%d

%s /Quiet /NoRestart /ER /InstName:%s

InstName%d

SpawnInstancesForInstall: Invalid NumInstances in CustomStringTable: %d

DlgProcAsk128:User Message: %s

RegisterFile:RegOpenKeyEx for %s Failed: 0x%lx

%s\%d

RegisterFile:RegCreateKeyEx for %s Failed: 0x%lx

ReadConfiguration: UseCache value is set as: %d

ReadConfiguration: Error, Failed to get UseCache value %u or UseCache value is wrong: %d

FileInUse:: ServiceFileInUseDetect value is set as: %d

FileInUse:: AppFileInUseDetect value is set as: %d

SOFTWARE\Microsoft\Updates\Windows

SOFTWARE\Microsoft\Updates\Windows 2000

SOFTWARE\Microsoft\Updates\Windows XP

SOFTWARE\Microsoft\Updates\Windows Server 2003

SOFTWARE\Microsoft\Updates\Windows XP Version 2003

UpdateRegKey

\spuninst.inf

spmsg.dll

EventLogKeyName

Express: %s bytes were downloaded.

Reg spuninst.exe, failed to write SpRecoverCmdLine value, error is 0x%lx

SpRecoverCmdLine

Reg spuninst.exe, failed to open System\Setup key, error is 0x%lx

UnRegisterSpuninstForRecovery, failed to delete SpRecoverCmdLine value, error 0x%lx

UnRegisterSpuninstForRecovery, failed to open reg key, error 0x%lx

RegisterSprecovr, failed to Set BootExecut value, error is 0x%lx

sprecovr \SystemRoot\sprecovr.txt

RegisterSprecovr: failed to copy sprecovr.exe to the system, error is 0x%lx

sprecovr.exe

RegisterSprecovr, Failed to open sprecovr.txt with error 0x%lx

RegisterSprecovr, failed to copy sprecovr.txt, error is 0x%lx

sprecovr.txt

\spuninst\spuninst.txt

BootExecute

RegisterSprecovr, RegOpenKey failed with error 0x%lx.

UnRegisterSprecovr, RegOpenKey failed with error 0x%lx.

ArchiveHighEncryptionFiles: Allocation for CurrentExportEntry failed

*.tmp

updencin.exe /x

ArchiveHighEncryptionFiles: RegCreateKeyEx Failed: 0x%lx

SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\EncInst

tsocenc.inf.sav

tsocenc.inf

encinst.inf.sav

encinst.inf

updencts.inf

Could not copy updencts.inf file to Export directory

Could not copy updencin.inf file to Export directory

updencin.inf

Could not copy encinst.exe file to Export directory

updencin.exe

encinst.exe

export

Could not copy rsaenhs.dll file to System32 directory

ArchiveHighEncryptionFiles: Cannot find rsaenhs.dll

rsaenhs.dll

ScanAssimilateDUCallback: File operatation aborted

updatetmp.tmp

ArchiveFilesFromArchiveFilesSections:FindFirstFile for %s Failed: 0x%lx

ArchiveFilesFromArchiveFilesSection: ExConditionalProcessArchiveOperations failed with error 0x%lx.

Tmp.%d.%s

%s\Tmp.%d.%s

sfc.dll

ArchiveQueue: component %s: no target %s

ArchiveQueue: no source component %s

ArchiveQueue: bad path on %s

$winnt$.pnf

RegisterDll: Failed to spawn process; error=0xx

RegisterDll: Exit code=0xx

RegisterDll: Executing command line: %s ...

"%s\regsvr32.exe" /s "%s\%s"

regwizc.dll

ReadStrings: MultiByteToWideChar on SP_TITLE failed with error code %u

Wrong Flags %d in %ws for %ws

Appending %d %d %d %ws %ws

Reg Type Mismatch, old %d, new %d for %ws\%ws

Failed to open/create the key %ws with error 0x%lx

Failed to get RegKey in %ws Error 0x%lx

Exception hit at line %d of %ws, exception = 0x%lx

Failed on line %d in %ws with error 0xlx

Failed on line %d of Field 0 in %ws

Failed on line %d in %ws with error 0xlx

Failed on line %d in %s with error 0xlx

updates.cab

Installing AppPatch section "[%s]".

DoRegistryUpdates: UpdSpInstallFromInfSection failed for %s with error:0x%lx

Deleting existing AppPatch keys.

1,0,2205,0

No apcompat.inf file, AppPatch will not be updated

apcompat.inf

DoRegistryUpdates: ExConditionalProcessRegOperations failed with error 0x%lx.

msimn.exe

msjava.dll

oledb32.dll

DoRegistryUpdates:UpdSpInstallFromInfSection Failed for %s: 0x%lx

ProductInstall.GlobalRegistryChanges.Append

DoRegistryUpdates:UpdSpInstallFromInfSection Failed for %s : 0x%lx

DoRegistryUpdates:UpdSpInstallFromInfSection Failed for %s: 0x%lx

%s.%s

DoRegistryUpdates:UpdSpInstallFromInfSection Failed for %s error: 0x%lx

ProductInstall.GlobalRegistryChanges.Install

ProductInstall.GlobalRegistryChanges.ReInstall

DoNoDelayReplace: Skip on MoveFileEx for %s

DoNoDelayReplaceFailed to copy %s to %s with error 0x%lx

Failed to move %s to %s with error 0x%lx

DeleteOrMoveTarget:Failed to delete the target %s, %d time

DoNoDelayReplace: Atomic replace support not implemented; disabling.

ntdetect.com

NTLSAPI.DLL

LLSSRV.EXE

LLSRPC.DLL

LICCPA.CPL

Changing error code %u (0x%x) to %s (0x%x)

DoInstallation: ExConditionalRunInfProcess failed while durring EXECUTE_ONCANCELORFAIL.

DoInstallation: GetInternalHalFileName for %s failed during repeated inventory : 0x%lx

DoInstallation: ExConditionalRunInfProcess failed while durring EXECUTE_AFTERREBOOT.

DoInstallation: Failed to update updsvc.inf; error=0xlx.

DoInstallation: Unregistering spuninst.exe for recovery successful

DoInstallation: Failed to unregistering spuninst.exe for recovery.

DirectoriesToCleanUp.AfterInstall

DoInstallation: ExConditionalProcessShortcutOperations failed with error 0x%lx.

LinkItems.Create

DoInstallation: ExConditionalRunInfProcess failed while durring EXECUTE_AFTERINSTALL.

ProcessesToRun.Interactive

DoInstallation:RunInfProcesses for %s Failed

DoInstallation:RunInfProcesses for %s Failed

DoInstallation:RunInfProcesses for ProcessesToRun.VM Failed

ProcessesToRun.VM

Num Ticks for Reg update and deleting 0 size files : %d

DoInstallation: RunInfProcesses for %s failed.

Num Ticks for Copying files : %d

DoInstallation: ExConditionalRunInfProcess failed while durring EXECUTE_BEFOREREGOPERATIONS.

DoInstallation: ExConditionalProcessCatalogOperations (CATALOG_OP_DELETE) failed with error 0x%lx.

Error installing assemblies, GLE=%u

DoInstallation: Installing assemblies with source root path: %s

DoInstallation: ApplyHotpatches returned %s.

Registering spuninst.exe for recovery successful.

Registering spuninst.exe for recovery failed.

LastGood.Tmp

AppPatch.Files

DoInstallation:DoDeleteOnCopyOperations failed

Failed to add section %s to security template: error 0x%lx

Failed to copy spupdsvc.exe to system32

spupdsvc.exe

DoInstallation: ExConditionalRunInfProcess failed while durring EXECUTE_BEFOREFILECOPY.

cleanjpm.exe

Num Ticks for creating uninst inf : %d

svcpack1.dll

AppPatch.Save.Reg.For.Uninstall

IIS.Save.Reg.For.Uninstall

DoInstallation: ExConditionalProcessArchiveOperations: ARCHIVE_OP_REG failed with error 0x%lx

Save.Reg.For.Uninstall

Num Ticks for Backup : %d

update\updspapi.dll

Check.For.128.Security

DoInstallation: ExConditionalRunInfProcess failed while durring EXECUTE_BEFOREARCHIVE.

DoInstallation:RunInfProcesses Failed for %s

DoInstallation: Invalid NumInstances: %d

RebootNecessary = %d,WizardInput = %d , DontReboot = %d, ForceRestart = %d

WizShowLastPage failed (%u)

CreateProgressDialog failed (%u)

Num Ticks for Cabinet build : %d

Num Ticks for download : %d

DoInstallation: ApplyAdminSystemAclsRecursive for %s failed; error=0xx

dumpDownloadTask returned 0x%x %s

Num Ticks for invent : %d

Package %s, File %s, Version %s, Branch %s

~rsp~.log

DoInstallation: CreateFile for %s failed: 0x%lx

~req~.log

CreateUninstall = %d,Directory = %s

DoInstallation:UpdSpOpenInfFile for OldUninstallInf file %s not found: 0x%lx

%s\spuninst\spuninst.inf

DoInstallation: GetIndexFilePathIfExist error in function: %d

DoInstallation: FetchSourceURL for %s failed

DoInstallation: Error 0x%lx while evaluating extended conditional section [%s].

ProductInstall.ExtendedConditional

ExtendedConditional.Declare

DoInstallation: SPCacheRoot (%s) directory does not exist, UseCache flag has been reset to 0

SOFTWARE\Classes\conman.exe\DefaultIcon

%s\schannel.dll

End:SnapPendingDelayedRenameOperations

DoInstallation: SnapPendingDelayedRenameOperations failed: 0x%lx

Begin:SnapPendingDelayedRenameOperations

DoInstallation: GetInternalHalFileName for %s Failed: 0x%lx

DoInstallation: ApplyAclInit failed; error=0xx

d:\nt.x86fre\installer\pi_ws03_sp2\update\update\doinst.c

_UPDATE_EXE_QUIET_MODE

ValidateSlipStreamPathsVersion info not present in %s

ValidateSlipStreamPathsVersion info not present in update.inf of SP Package

ValidateSlipStreamPathsVersion Mismatch in %s

ValidateSlipStreamPaths SKU mismatch between paths %s %s\slipstream.inf

ValidateSlipStreamPathsSKU Tag Not found in %s\slipstream.inf

ValidateSlipStreamPathsLanguage Mismatch in %s

ValidateSlipStreamPathsArchitecture Mismatch in %s

Platform string not present in %s

Invalid Inf %s ( 0x%lx )

%s is an invalid slipstream path

slipstream.inf

dosnet.inf

ValidateSlipStreamPathsFile %s not Found ( 0x%lx )

Failed to Delete %s

File %s Deleted

ProductInstall.SlipStreamEx

%s_%d: Delete file %s failed with error %u

Copy of %s to %s hit with error 0x%lx

%s_%d: copy uncompressed file name %s failed with error 0X%x

Source File %s Not Present

%s_%d: Try delete uncompressed file, but cannot find the file, error code: 0X%x

Copy of %s to %s

Source (%s) and Target (%s) are different with respect to compression

CreateSlipStreamExFailed executing %s

Invalid line in %s, Not able to find Dir Section

TagFile %s Not Found in any Paths

Invalid line in %s

CreateSlipStreamExFile %s not Found ( 0x%lx )

%s_%d: cannot get ThisServicePackVersion value from [version] with error 0X%x

%s_%d: %s cannot be opened with error 0x%lx )

%s_%d: failed with error 0X%x

password

passive

reportonly

_UPDATE_EXE_WU_AU_MODE

CabBuild.log

%s_%d: GetUncompressedFileName failed with error 0X%x

%s_%d: IsFileCompressed failed with error 0X%x

%s_%d: copying %s -> %s

copying %s -> %s

copy %s %s -> %s (%s)

%S_%d: Failed. Source file name is too long (longer than %d bytes)

GetGroupIdFromPidGenDll:LoadLibrary failed for %s dll

%s_%d: BINK is %d

GetGroupIdCountFromPidGenDll:LoadLibrary failed for %s dll

hivesys.inf

x86CheckSlipStreamDestination: Invalid handle for file: %s

GetVersionInfoFromDosnet: UpdSpOpenInfFile failed to open file: %s

GetProductType: UpdSpOpenInfFile failed to open file: %s

CheckOSVersion: UpdSpOpenInfFile failed to open file: %s

GetLanguageFromUpdate: UpdSpOpenInfFile failed to open file: %s

GetLanguageFromHivesys: UpdSpOpenInfFile failed to open file: %s

REGDMP_HKEY_TMP\ControlSet001\Services\setupdd

REGDMP_HKEY_TMP

setupreg.hiv

tmpreg.hiv

%s_%d: Cannot determine correct build type from pidgen. Reverting to Generic.

pidgen.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\WindowsFeatures

Windows Media Services

%s_%d: failed to get offline image's spLevel with error 0X%x

%s_%d: StringCchPrintf failed with error code 0X%x

win51%s*

%s_%d: noop for OS %d.%d

%s_%d: Failed. CopyFilesToTarget from %s to %s returned 0X%x

%s_%d: failed to copy target file name and path with error 0X%x

%s_%d: failed to copy source file name and path with error 0X%x

%s_%d: Missing source file %s

%s_%d: copied %s to %s

Deleting %s

ServicePackFilesDelete.files

CreateSlipstream:FileCopy Failure for file: %s

*.cat

ServicePackFilesAlways.files

CreateSlipstream: InfProductBuildType=%s

ServicePackFiles.BuildType.KNEval.Files

ServicePackFiles.BuildType.KNSel.Files

ServicePackFiles.BuildType.Mnt.Files

ServicePackFiles.BuildType.Evl.Files

ServicePackFiles.BuildType.Sel.Files

ServicePackFiles.BuildType.Selx64pro.Files

ServicePackFiles.BuildType.IB.Files

ServicePackFiles.BuildType.WinSB.Files

ServicePackFiles.BuildType.IL.Files

ServicePackFiles.BuildType.IC.Files

ServicePackFiles.BuildType.IW.Files

ServicePackFiles.BuildType.ID.Files

ServicePackFiles.BuildType.IA.Files

ServicePackFiles.BuildType.KNIA.Files

ServicePackFiles.BuildType.IS.Files

ServicePackFiles.BuildType.KNIS.Files

ServicePackFiles.BuildType.IP.Files

%s_%d: WARNING: Failed to get build type.

CreateSlipstream(%s,%s,%s)

%s_%d: find a integrated hotfix for higher service pack

%s_%d: MultiByteToWideChar failed with error: %d

%s_%d: Find file %s failed with error: %d

svcpack\*.cat

%s_%d: failed to get offline image's spLevel with error 0x%x

%s_%d: media has no integrated hotfixes (%s is not found).

%s_%d: failed to build a file path string for svcpack.inf with error 0X%x

%s\svcpack.inf

AnalyzePhaseZero used %u ticks

AnalyzeForBranching used %u ticks.

AnalyzeForBranching: files installed on target workstation are from %s branch which is incompatible with %s branch

AnalyzeForBranching: Package required to migrate %s not found

AnalyzeForBranching: g_bMigrate set to TRUE because target file %s has branch %s which is smaller than branch for %s

AnalyzeForBranching: g_bRepeatInventory set to TRUE because target file %s has branch %s which is greater than branch for %s

AnalyzeForBranching: Getting file version for file %s failed with error 0xx

AnalyzeForBranching: Using effective target %s for %s

AnalyzeForHotpatching used %u ticks.

AnalyzeForHotpatching: Hotpatch target added; source=%s,target=%s.

AnalyzeForHotpatching: Analyzing source=%s,target=%s...

AnalyzePhaseTwo used %u ticks

AnalyzePhaseThree used %u ticks

AnalyzePhaseSix used %u ticks

Missing file %s

Unable to copy existing clone "%s" to "%s", GLE=0x%lx

AnalyzePhaseSeven used %u ticks

ScanReferenceDirectory used %u ticks

Scanning reference directory "%s"%s

Unable to copy source clone "%s" to "%s", GLE=0x%lx

Source clone %s was found.

ScanReferenceCabinet used %u ticks

$CABREF$.TMP

Scanning reference cabinet "%s"

ScanReferenceSetupSource used %u ticks

$CMPREF$.TMP

Scanning reference setup source "%s"%s

Free space of directory %s adjusted to %I64u

Allocation size of drive %c: adjusted to %u

Allocation size of drive %c: is %u bytes, free space = %I64u bytes

hal.dll

InfContainsCatalogFileKey:SetupQueryInfOriginalFileInformation Failed with error: 0x%lx

InfContainsCatalogFileKey:SetupGetInfInformation Failed with error: 0x%lx

Third Party Provider = %s for %ws

AnalyzePhaseFive used %u ticks

GetDiskUsageInfo:AddDiskUsageInfo failed to add space to drive containing %s file

In-box driver %ws is signed by oem catalog %s.

Oem driver %ws is signed by %s and will not be replaced

SetupDiGetDriverInfoDetail in CollectThirdPartyDriversFromDevice Failed with error: %d

SetupDiCallClassInstaller in CollectThirdPartyDriversFromDevice Failed with error: %d

Found %s in %s

DEVICEID.EXCLUSIONS

SetupDiSetSelectedDriver in CollectThirdPartyDriversFromDevice Failed with error: %d

SetupDiBuildDriverInfoList in CollectThirdPartyDriversFromDevice Failed with error: %d

SetupDiGetDeviceInstallParams in CollectThirdPartyDriversFromDevice Failed with error: %d

Failed to get the TargetSection Path of %s (error 0x%lx )

CheckDeviceNodes: component %s: no target found %s

CheckDeviceNodes: No source component found for %s

CmTargetNodeFlags for %s are 0x%lx

CmTargetNodeFlags modifed for %s are 0x%lx,

%s\%s

AnalyzeDevices used %u ticks

Failed to enumerate %s error( 0x%lx )

Enumerating Devices of %s, GUID %s

AnalyzeCachedSourceFiles used %u ticks

AnalyzeCachedSourceFiles: returns 0X%x

AnalyzeCachedSourceFiles:StringCbCopy effective file name failed, 0X%x

AnalyzeCachedSourceFiles: Use cached source file %s for Source %s

AnalyzeCachedSourceFiles: Source %s version is not valid

AnalyzeCachedSourceFiles: SPCache file %s does not exist

AnalyzeCachedSourceFiles: PFRGetFileVersionEx return %u

EffectiveFileName %s

AnalyzeCachedSourceFiles: don't need to copy %s

AnalyzeCachedSourceFiles: Initialized %s's EffectiveFileName to %s

PROVIDER.EXCLUSIONS

OEMDriver.Exclusions

AnalyzePhaseOne: used %u ticks

%s is in the list of oem drivers...skipping copy!

OEM file scan used %u ticks

bPatchMode = %s

Downloading %u files

AnalyzeComponents used %u ticks

AnalyzeComponents: Branch %s is not applicable to target workstation

AnalyzeComponents: Hotpatching is %s.

hXXp://

/isapi/pstream3.dll/

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

LoadWininet:GetProcAddress Failed for %s: 0x%lx

LoadWininet:LoadLibrary for wininet.dll failed

wininet.dll

InventoryQueueCallback:Not enough Memory to create component target for %s file

InventoryQueueCallback:Not enough Memory to create component file for %s file

ProtectedPatchDownloadCallback:Callback function failed with error %d

FixTimeStampOnCompressedFile : Invalid handle value for file %s

Wininet.InternetConnect failed with error: 0x%lx

Wininet.HttpOpenRequest failed with error: 0x%lx

HttpSendRequest unsuccessful (%u)

HttpSendRequest failed %u

HttpQuery status code failed %u

InternetErrorDlg password prompt for HTTP %u cancelled by user

InternetErrorDlg password prompt for HTTP %u failed %u

HttpSendRequest status %u but not allowed to prompt for credentials

InternetErrorDlg NO_UI for HTTP %u failed %u

HttpSendRequest returned HTTP status %u %s

update.exe

ConnectAndSendRequest:Invalid name for Source URL

ProcessDownloadChunk: WriteFile into %s file failed with error: 0x%lx

ProcessDownloadChunk: CreateFile for %s file failed (%u)

Apply IPD failed: %s on %s to get %s, GLE=%u

Apply failed: MyUpdSpDecompressOfCopyFile(%s,%s)

Apply failed: %s on null to get %s

Apply failed: %s on %s to get %s

Unable to recover %s from reference cabinet %s

Unable to identify patch candidate for %s

AddSourceURL:Allocation failure for Url

Software\Microsoft\Windows NT Service Pack

FetchSourceURL: Memalloc failure for pszSUSSourceFile

_SFX_NoDefaultURL

_SFX_SourceFilesURL

DownloadAndPatchFiles: loading of Wininet support failed

SessionId:%u

Software\Microsoft\Windows NT\CurrentVersion\ServicePack

Max download retries exceeded, GLE=0xX

Failed DownloadAndPatchFiles, GLE=0xX

Calling DownloadAndPatchFiles for %u files

LoadIPDHints: %s <- %s would form a cycle; ignored

LoadIPDHints: source component file %s has no signature

LoadIPDHints: No source component file %s

LoadIPDHints: No target component file %s

Inventory complete: ReturnStatus=%u, %u ticks

InventoryThread: IncludeDirectoryIdFromInf failed during update.inf reload process

InventoryThread: SetQueuedDirectoryIds failed during update.inf reload process

InventoryThread: ExConditionalProcessCatalogOperations failed with error 0x%lx.

Version: %s

FileName: %s

Reading file key: %s

EnumRegKey: Key: %s SubKey: %s

Blocklist: s Suggested fix %s

Blocklist: s Max Version is %s, 6I64X

Blocklist: s Min Version is %s, 6I64X

BlockList INF Configuration: %s

No %s file.

updtblk.inf

BlockListInitialize: Type %s.

Enumerating files: %s

%s\%s\Filelist

%s %-14s %s

Enumerating fixes: %s

Enumerating SPs: %s

FileIsBlocked: File s version 6I64X is blocked from installation

Failed to allocate memory for %u entires.

Error getting find handle for %s

FindFirstFile %s

Invalid file format: %s

Failed to open %s

MarkHotfixesForMigration: Failed to get hash for target %s; Error=0xx

MoveFile(%s, %s) failed %u

Rename failed. Destination path %s exists.

Rename failed. Source path %s does not exist.

MigrateHotfix: Hotfix %s successfully migrated

RegSetValueEx(%s) failed %i

Update.exe failed %u.

SpawnProcessAndWaitForItToComplete failed %u

Migrating QFE %s with command line: update.exe -Z -Q -B:%s

update\update.exe -Z -Q -O -B:

QFE %s has no backup directory to migrate.

MigrateHotfix: Migrating hotfix %s

MigrateHotfixes: Return code: %u

MigrateHotfixes: Migration of %s failed

SetEnvironmentVariable(_HFM_EXE_PATH, %s) failed %u

UdpStopService: ControlService failed :0x%lx

UdpStopService: OpenService failed :0x%lx

UdpStopService: OpenSCManager failed :0x%lx

SOFTWARE\Microsoft\Updates\UpdateExeVolatile

setupapi.dll

%u.u:

%s: malloc pUserSid failed

%s: GetTokenInformation for TokenUser failed: 0x%lx

%s: malloc for TokenUser failed

%s: TokenUser Sid is big than %d bytes

%s: malloc pOwnerSid failed

%s: GetTokenInformation for TokenOwner failed: 0x%lx

%s: malloc for TokenOwner failed

%s: TokenOwner Sid is big than %d bytes

%s: OpenProcessToken failed: 0x%lx

%s: AllocateAndInitializeSid failed: 0x%lx

%s: malloc pBuf failed

GetFileVersion of %s resulted in exception %d

GetInternalFilename of %s resulted in exception %d

\StringFileInfo\xx\

System\CurrentControlSet\Control\Windows

Failed to Open the CSDVersion Key error: 0x%lx

WTHelperGetProvCertFromChain

CryptCATCatalogInfoFromContext

wintrust.dll

rsaenh.dll

%s\%s.asms

kernel32.dll

End: RunInfProcesses->%s

Return Code = %u

RunInfProcesses: SpawnProcessAndWaitForItToComplete on "%s" in [%s] failed: 0x%lx

RunInfProcesses: SpawnProcessAndWaitForItToComplete on "*" in [%s] failed: 0x%lx

Working directory: %s

Starting process: %s

Ignoring the proccess %s

Begin: RunInfProcesses->%s

IsFileExists(): Exception hit for %s ( error = 0xlx )

Failed Deleting %s %u

Failed To Set LKG Key

Message displayed to the user: %s

CustomizeCall:GetProcAddress for %s failed: 0x%lx

GetFileSecurity failed with error 0x%lx for file %s

0123456789

FindOrMountSystemPartition: System partion is now mounted as drive %c.

FindOrMountSystemPartition: System partion already mounted as drive %c.

FindOrMountSystemPartition: RegOpenKeyEx failed; error=0x%lx.

SetAltOsLoaderPath: RegOpenKeyEx failed; error=0x%lx.

Failed To Write %s error 0xlx

%s = %s

seed obtained from session key

Failed to open the Signing Key with error 0x%lx

Class install of %s failed with error 0xlx

Starting install of the Class %s

Class Dll --> %s of %s is not copied. Skipping Device install class

ProductInstall.ClassInfsToInstallAlways

ProductInstall.ClassInfsToInstallIfExist

WM_QUERYENDSESSION: %s

WM_ENDSESSION: %s

Failed to create windows 0xlx

%s: SetupGetLineText failed: 0x%lx

%s: %s is not in update.inf

Software\Microsoft\Windows NT\CurrentVersion

SYSTEM\CurrentControlSet\Control\Windows

Failed to open the Setup Key 0x%lx

ProcessDynamicStrings: Operation type not found.

ProcessDynamicStrings: %s is not a supported operation

ProcessDynamicStrings: Insufficient parameters for InstallPathEnvVar operation.

ProcessDynamicStrings: Key not found for operation %s.

ProcessDynamicStrings: UpdSpSetDynamicString failed on %s to %s: 0x%lx

ProcessDynamicStrings: all %%%s%% replaced with %s.

ProcessDynamicStrings: InstallPathEnvVar failed to find environment variable %s

ProcessDynamicStrings: ExpandEnvironmentStrings failed on %s: 0x%lx

ProcessDynamicStrings: InstallPathEnvVar for %s returned %s

ProcessDynamicStrings: Insufficient parameters for InstallPathRegistryKey operation.

ProcessDynamicStrings: InstallPathRegistryKey for %s,%s failed

ProcessDynamicStrings: InstallPathRegistryKey for %s,%s returned %s

ProcessDynamicStrings: RegOpenKeyEx failed: 0x%lx

ProcessDynamicStrings: InstallPathRegistryKey failed to process unsupported data type: 0x%lx

ProcessDynamicStrings: Insufficient parameters for CustomStringTable operation.

ProcessDynamicStrings: CustomStringTable for %s failed to find the string.

ProcessDynamicStrings: CustomStringTable for %s returned %s

ProcessDynamicStrings: Insufficient parameters for CustomFunction operation.

ProcessDynamicStrings: LoadLibrary for %s failed: 0x%lx

ProcessDynamicStrings: GetProcAddress for %s failed: 0x%lx

ProcessDynamicStrings: CustomFunction for %s returned %s

DeRegistering the Uninstall Program -> %s, %d

TurnOffSfc: Leave issued; file=%s, line=%d, LastError=0x%lx

d:\nt.x86fre\installer\pi_ws03_sp2\update\splib\common.c

%s_%d: failed copy string with error 0X%x

%s_%d: more than one file in single file cab: %s.

%s_%d: failed to get string length with error 0X%x

GetCatVersion: Failed to retrieve version information from %S with error 0x%lx

GetCatVersion: %S has version of 0, this may indicate error converting version string.

%s: Invaild registry hive %s for query %s, %s.

%s: Error creating buffer for expanding value %s, %s, %s.

%s: Error expanding value %s, %s, %s.

%s: Error extracting %s, %s, %s, 0x%1x.

%s: Unable to allocate memory of size %d for query %s, %s, %s.

%s: Unable to read %s, %s, %s, 0x%1x.

%s: Unable to open %s, %s, 0x%1x.

AppPatch.Exclusions

File not found %s

Unable to open the File %s ( error 0x%lx )

_d_.tmp.dll

DeleteOrMoveTargetInternal: targetfile is %s

CopyNTLDR: targetfile is %s

gdi32.DLL

Clusapi.DLL

Advapi32.DLL

SXS.DLL

kernel32.DLL

newdev.dll

CryptHashPublicKeyInfo

crypt32.dll

psapi.dll

Cabinet.dll

Failed To Create Link -3 %s

@.lnk

Failed To Create Link -2 %s

Failed To Create Link -1 %s

ValidateSingleFileSignature(): Exception hit for %s ( error = 0xlx )

UpdateExeVolatile_AppendSystemTime: NtQuerySystemInformation failed: 0x%lx

UpdateExeVolatile_AppendSystemTime: StringCbPrintf failed: 0x%lx

%s_6I64X

UpdateSpUpdSvcInf: Failed to write temp inf "%s"; error=0xlx.

UpdateSpUpdSvcInf: Failed to copy "%s" -> "%s"; error=0xlx.

UpdateSpUpdSvcInf: Failed to open target inf "%s"; error=0xlx.

UpdateSpUpdSvcInf: Failed to open temp inf "%s"; error=0xlx.

spupdsvc.inf

UpdateSpUpdSvcInf: Source [%s] section is empty; nothing to do.

Signature="$Windows NT$"

Return values from CM_Get_DevNode_Status %d problem = %d

UpgradeDevice for %s resulted in exception 0xlx

Failed to install device %s with error code 0x%lx

Starting Upgrade For %s from %s

Starting Backup For %s

%s.%d.old

setupapi.log

StringCbCopy Failed with error 0x%lx ( %s )

%s_%d: GetModuleFileName failed with error 0X%x

%s_%d: StringCchCopy failed with error 0X%x

%s_%d: failed to get parent directory of update.exe, return 0X%x

%s_%d: failed to get current directory of update.exe, return 0X%x

MyGetFileVersion of %s resulted in exception %d

InstallCatalogFile: InstallCatalog failed for %s; error=0xlx.

InstallCatalogFile: VerifyCatalogFile failed for %s; error=0xlx.

DeleteCatalogFile %s failed with ERROR %d

InstallInfCatalogFile: Installing %s as %s...

_d_.cat

InstallCatalogFile: Missing CatalogFile key in Version section of %s; nothing to do.

InstallInfCatalogFile: Error opening %s; error=0xlx.

Policy restored to %d

Policy Changed From %d to %d

InstallSingleCatalogFile: MyVerifyCatalogFile failed for %s; error=0xlx.

InstallSingleCatalogFile: MyInstallCatalog failed for %s; error=0xlx.

PFE2: SVCPACK1.DLL not found; Not avoiding Per File Exceptions.

PFE2: Failed to copy SVCPACK1.DLL; error=0x%lx.

SVCPACK1.DLL

SFC.DLL

%s (version %u.%u.%u.%u)

u/u/u u:u:u.u (local)

%s.%u.log

Not able to find %s in the package

InitializeSvcPackLogWrapper: Unable to write to user-supplied log path: %s

Exception hit In the ComputeValue() for Op %d

%s is Present

%s is Not Present

Exception hit In the CustomFunction() %s

%s returned value( 0x%lx ) which is %ws 0x%lx

%s returned %d

Return Value From %s = %d

%s is not Present in %ws

Exception hit In the ExecuteMsiOperand() for Op %d in %ws

Component path for %ws is %ws (not exe or dll)

Component %ws is not installed ( %d)

Not able to Load msi.dll

msi.dll

Exec %ws: Input Int Value for key %ws Error = 0x%lx

Exec %ws: Input value not Found ( 7th Field ) for Key %ws

Exec %ws: Types don't match of Key %ws

Exec %ws: Wrong Op in 6 th Field of Key %ws

Exec %ws: Result ValueName %ws Not Found For Key %ws

Exec %ws: Result %ws Key Not Found

InternalFileName of %s is %ws %s

InternalFileName of %s is %ws %s

File %s Not Found

Syntax Error in %ws unknown operand ( %ws )

Wrong syntax in Line %d of %ws

Syntax: Wrong Op Name in line %d of %ws

Unexpected Error While Executing Line %d ( %ws ) of %ws

Condition Check for Line %d of %ws returned FALSE

Syntax: Probelm in %d

Condition succeeded for section %ws in Line %d of %ws

\\.\WMIDataDevice

%d:%s

FileInUse:: application: %s was listed in the excludes list and has a file in use - reboot required

FileInUse:: service: %s was listed in the excludes list and has a file in use - reboot required

FileInUse:: Add to list - Application Name: %s PID: %i Image Name: %s

FileInUse:: Application detected - PID: %i Image Name: %s Friendly Name: %s

FileInUse:: Added to SystemExcludes list: %s

FileInUse:: Added to UserExcludes list: %s

FileInUse:: Added to Filelist: %s

InitFileInUseDetection: No DelayFile %s; reboot will be required.

FlieInUse::%s long image name %s, (> %d char)

FileInUse:: IsTaskUsingModule: Process name: %s, module to search %s

FileInUse:: Add to list - Service Name: %s

FileInUse:: Add to list - Service Name: %s ImageName: %s

%s::StringCchCopy failed with error 0x%lx

FileInUse:: PrintTasksUsingModule: No tasks found using %s

Failed to open the device %ws Depth %d

Unisntall the device %ws at Depth %d

Uninstall the Device %ws at Depth %d

Unable to locate the Device ID %d 0x%lx

Failed to set SPDRP_CONFIGFLAGS of %s error (0x%lx )

Failed to get SPDRP_CONFIGFLAGS of %s error (0x%lx )

Reinstall the device %s

Restarted Device %s

Device Removol of %s was vetoed by %s ( veto type %u )

CM_Locate_DevNode_ExW of %s failed with error 0x%lx

Unable to insert the Parent Dev Id %s into Restart List

Unable to locate the Parent Device of %s ( Id = 0x%lx ) ( error %d )

Unable to find the Parent DevNode of %s ( error = 0x%lx )

WriteSecuritySection: Failed, line too long at section [%s]

"%s",%d,"%s"

[Registry Keys]

Failed to Write the Key %ws

Size of Key %ws is %d Greater than 1024

Software\Microsoft\PCHealth\ErrorReporting\DW\Installed

Failed To Get Windows Dir 0x%lx

%s\Temp

Failed MultiByteToWideChar for %s with error 0x%lx

[FilesToKeep] %s Not Found

Failed to copy from %s to %s

ReportingFlags

[%s] Masking error code %x, and returning STATUS_RETRY_SELF_CONTAINED

susdl.req

[%s] SUS_SHARED access exception 0x%x

[%s] SUS_SHARED version mismatch (%u expecting %u)

SaveAs=%s

%s: Insufficient memory allocating candidate info for %s

[%s] This candidateInfo entry is corrupt. Signature: %s

%s:Inventory candidate %u = %s, 0x%x

[%s] getListIntoCandidateInfoArray: To be extracted from cabinet %s, path in cab: %s

[%s] This candidateInfo entry maybe corrupt. Signature: %s

[%s] Insufficient memory allocating candidate info for %s

[%s] Returning 0x%x

[%s] bad_alloc exception (constructing Inidata?)

[%s] encountered exception: 0x%u

[%s] We have all necessary files for the package to install. Return STATUS_READY_TO_INSTALL

[%s] Error writing to request file to patch %s

[%s] Request to download fallback for %s, size = %u

[%s] Request to download delta for %s, size = %u, basis = %s

[%s] RequestFile %s construction failed. 0x%x

[%s] Error Initializing request file %s

%s\%s.blob

[%s] Alloc failure in RequestFile %s construction.

[%s] Patch for the required file %s is missing. Abort.

[%s] Source:%s, target = %s. CopyFile failed, even after creating the path. Maybe CreateDirectory failed

[%s] Failed copying backup file %s from %s, since we are out of disk space. Abort

[%s] Successfully extracted %s from %s. Path inside cab: %s

[%s] Failed SetFileAttributes for %s, error %d. Ignore and continue.

[%s] ERROR extracting %s from %s. Path inside cab: %s. Error: 0x%x. Will go for Fallback

[%s] Failed extraction of backup file %s from cabinet %s, since we are out of disk space. Abort

[%s] Backup Patch candidate %s to %s

[%s] ConstructFilePathInSandBox error (0x%x)

[%s] Error 0x%x returned from getBestPatchCandidatesForFile( %s )

[%s] Update.exe posting request file to download a total of %u bytes (%u bytes in patches and %u bytes in fallbacks)

[%s]returned 0x%x

[%s] Processing binary %s...

[%s] Error Unmapping previous view of file. 0x%x

[%s] MapViewOfFile error 0x%x mapping view for %s

[%s] CreateFileMapping error 0x%x mapping %s

[%s] GetFileSize error 0x%x, File: %s

[%s] CreateFile error 0x%x opening %s

[%s] fields were empty

[%s] Response file %s is not found (%u)

[%s] returning STATUS_READY_TO_INSTALL

[%s] request file posted, STATUS_MORE_FILES_FOR_DOWNLOAD

[%s] MoveFile failed to move %s to %s: 0x%x

[%s] RequestFiles %s and %s are not equivalant.

[%s] Last 3 req files seem equivalant. No point retrying. Return STATUS_RETRY_SELF_CONTAINED

[%s] RequestFiles %s and %s are equivalant.

[%s] Number of request retries exceeded. Give up and return.

%s%s%d

[%s] DeleteFile call failed to delete response blob %s. Error: 0x%x

[%s] Returning error: 0x%x

%s: SetFileTime on %s failed (%u)

[%s] WriteBigFile error 0x%x, writing to %s

%s: SetFilePointer error 0x%x to %s

[%s] WriteRequestData failed for %s: 0x%x

[%s] getFallbackDataForFile failed for %s: 0x%x

[%s] Error initializing ini file %s: 0x%x

[%s] Bad Alloc exception initializing ini file %s: 0x%x

[%s] Error creating 2nd request file %s: 0x%x

[%s] Bad Alloc exception creating 2nd request file %s: 0x%x

[%s] Requesting fallback for %s

[%s] Exception occured in reading Blobfile.

[%s] Exception thrown while attempting to patchapply

[%s] The target file %s already exists. Proceeding to next

[%s] MD5 of %s file is wrong (%s, %u, %u)

[%s] SafeCompleteMD5 error: 0x%x. Will request fallback

[%s] ApplyPatchToFileByBuffers returned: 0x%x. Will request fallback for %s

[%s] DeleteFile for the patch basisfile %s failed: 0x%x. Ignore and continue

[%s] ConstructFilePathInSandBox returned: 0x%x

[%s] Corrupt CRC in response blob (%s, %u, %u)

[%s] Exception X reading mapped response blob (%s, %u, %u)

[%s] Corrupt header in response blob (%s, %u, %u)

[%s] Error occured reading %u bytes from responseBlob: 0x%x

[%s] Error occured reading next request: 0x%x

[%s] Responding to a CANCEL operation

[%s] Error occured opening response %s (%u)

[%s] Error getting sandbox dir path (%u)

[%s] RequestFile parsing failed : 0x%x

[%s] Index file is missing, abort.

[%s] No files to patch

[%s] Error reading range requests (%u)

[%s] Error reading file requests from request file %s (%u)

[%s] Unable to open request file %s (%u)

[%s] GetReqFilePath failed %u

[%s] PATCH_REQUEST_CANDIDATES constructor encountered bad_alloc exception

[%s] Fallback type: 0x%x, [Off] 0x%x, [len] 0x%x

[%s] Patch Signature: 0x%x, [Off] 0x%x, [len] 0x%x

[%s] IniSection: %s

[%s] Failed reading file %s (%u)

[%s] Could not allocate %u bytes of memory

[%s] Unable to get file size for %s

[%s] Unable to open file %s

%s=%x,%x,%x,%s,%s

MyFindBranchForFileByName: Error 0x%lx while trying to retrieve branch information from %s

HfCleanUpTempFolders: Failed to remove folder %s.

VerifyIntegrationSources: Package %s not found.

VerifyIntegrationSources: Target %s not found.

MachineTypeFromFilename: Error 0x%lx while trying to retrieve machine type from %s.

ExtractPackage: Process %s failed with error 0x%lx.

%s /x:%s /q

%s\%s\svcpack\branches.inf

%s\%s\svcpack\TempCatalogStore

UpdateTargetUsingBestOf: Error, package contains file %s, which is not present in the inventory.

CopyBranchesInfToSvcPack: Error 0x%lx opening branches.inf

CopyBranchesInfToSvcPack: Error 0x%lx retrieving the version of branches.inf

%s\branches.inf

CopyBranchesInfToSvcPack: Error 0x%lx retrieving information from %s.

GetHotfixInformation: Failed to open %s with error 0x%lx

GetHotfixInformation :failed to build szFilePath for target (%s), error code 0X%x

GetHotfixInformation: unexpected failure to locate a file node by source file name %s

ProductInstall.Slipstream.Hotfix

%s\update.exe

%s\common\update.exe

PrepareTargetFile: Error 0x%lx while preparing %s.

PrepareTargetFile: Error 0x%lx while deleting compressed file %s.

PrepareTargetFile: Error 0x%lx while trying to decompress file %s.

PrepareTargetFile: failed to copy to the temporary file path buffer 0X%x

PrepareTargetFile: failed to build the temporary file path buffer 0X%x

%s\%s\%s

PrepareTargetFile: failed to get target file path length 0X%x

%s\update\update.inf

%s\update\branches.inf

%s\update\updatebr.inf

%s\xpsp1hfm.exe

IsUpdateInfValidForTarget: Build mismatch in %s: %d < %d > %d.

IsUpdateInfValidForTarget: MajorVer mismatch in %s: %d < %d > %d.

IsUpdateInfValidForTarget: MinorVer mismatch in %s: %d < %d > %d.

IsUpdateInfValidForTarget: SPLevel mismatch in %s: %d < %d > %d.

IsUpdateInfValidForTarget: Platform mismatch in %s: %s != %s.

IsUpdateInfValidForTarget: Lang mismatch in %s: %lx != %lx.

IsUpdateInfValidForTarget: Unable to retrive information from hotfix %s.

%s\update.url

IsPackageValidForTarget: Error 0x%lx while opening file %s.

IsPackageValidForTarget: branch %s is not specified in updatebr.inf

IsPackageValidForTarget: %s does not exist.

IsPackageValidForTarget: Using alternate SP level of %d to determine branch.

IsPackageValidForTarget: %s is missing or empty!

IsPackageValidForTarget: Failure reading SP level from %s line %d.

IsPackageValidForTarget: No default branch defined for SP level %d. Searching for alternate SP Level.

%s\updatebr.inf

IsPackageValidForTarget: %s does not appear to be a valid dual mode package.

%s\%s\update

%s\SP*

IsPackageValidForTarget: %s doesn't exist.

%s\update.inf

%s\update

%s\%s\svcpack\HFINT.dat

CopyHotfixAndCatalogToSvcPack: Error 0x%lx while trying to copy file %s to %s

%s\update\%s

%s\%s\svcpack\%s

%s\%s.exe

%s\%s\svcpack

FixUpSvcpackInf: Failed to open %s

FixUpSvcpackInf: Failed to write CatagSubDir key to svcpack.inf

"\%s\svcpack"

FixUpSvcpackInf: Failed to write BuildNumber key to svcpack.inf

FixUpSvcpackInf: Failed to write MinorVersion key to svcpack.inf

FixUpSvcpackInf: Failed to write MajorVersion key to svcpack.inf

FixUpSvcpackInf: Failed to write Signature key to svcpack.inf

"$WINDOWS NT$"

FixUpSvcpackInf: Failed to write [CatalogHeader] section to svcpack.inf

%s\%s\svcpack.inf

FixUpSvcpackInf: Failed to delete compressed version of svcpack.inf (0x%lx).

%s\%s\svcpack.in_

AddHotfixAndCatalogToSvcpackInf: Error 0x%lx while writing ProductCatalogsToInstall key

AddHotfixAndCatalogToSvcpackInf: Error 0x%lx while writing SetupHotFixesToRun key

AddHotfixAndCatalogToSvcpackInf: failed to build [SetupHotfixesToRun] line %s, error code 0X%x

%s.exe /q /n /z

%s.exe /q /n /z /b:%s

AddHotfixAndCatalogToSvcpackInf: There was an error fixing up SVCPACK.INF: 0x%lx

CopyHotfixFilesToSource: Error 0x%lx while copying %s to %s

AddFilesToDosNet: Error 0x%lx while trying to open %s

AddFilesToDosNet: StringCbPrintf failed to build d%d, %s, error code 0X%x

AddFilesToDosNet: failed to get string length (%s)

AddFilesToDosNet: target file path (%s) does not contain root path (%s)

AddFilesToDosNet: Error 0x%lx writing %s to %s

Stripped Dir Name:%s From: %s

d%d,%s

AddFilesToDosNet: StringCbPrintf failed to build d1, %s, error code 0X%x

d1,%s

AddFilesToDosNet: Error 0x%lx writing %s to [Directories]

AddFilesToDosNet: StringCbPrintf failed to build d%d, error code 0X%x

AddFilesToDosNet: enum key in [Diretories]: szKeyName(%s), szValue(%s)

AddFilesToDosNet: StringCbCopy failed to copy section name "Directories", error code 0X%x

%s\%s\dosnet.inf

AddOptionalSrcDirToDosNet: Error 0x%lx while writing OptionalSrcDirs info to %s

Unable to determine what type of package %s is.

GetBuildInformation: Error 0x%lx while trying to retrieve target OS version information from %s.

GetTargetOSLanguage: Error 0x%lx while trying to retrieve target OS language information from %s.

%s\%s\hivesys.inf

GetSKUInfo: Error 0x%lx was encountered while retriving SKU information from %s.

%s\%s\layout.inf

GetSKUInfo: Error 0x%lx while trying to open file %s.

GetSKUInfo: %s is an unknown SKU. ProductInfo = %d

Error 0x%lx enountered while retrieving service pack level information from %s

GetServicePackLevel: Unable to open %s. GLE = 0x%lx

%s\%s\drvindex.inf

%s\%s\svcpack\*.cat

%s\%s\*.cat

CopyCatalogFilesToTempStore: Error 0x%lx while copying %s to %s.

%s\%s\svcpack\TempCatalogStore\%s

%s\%s\*.ca_

CopyCatalogFilesToTempStore: Error 0x%lx while trying to create %s

RemoveTempCatalogStore: Error 0x%lx while removing directory %s.

RemoveTempCatalogStore: Error 0x%lx while trying to delete %s.

%s\*.*

TARGET: Branch: %s

TARGET: Version (str): %s

TARGET: Path: %s

SOURCE: Branch: %s

SOURCE: Version (str) %s

SOURCE: Path: %s

File Name: %s

PACKAGE: %s

GetFileListInformation: Error 0x%lx retrieving version information about %s

GetFileListInformation: Error 0x%lx retrieving version information from %s

GetFileListInformation: Unable to retrieve version information from %s because file lacks version resources.

%s is not a valid hotfix for %s.

Error 0x%lx while trying to open %s.

FindOverlapingPackages: Error 0x%lx retrieving file from [%s] section.

FindOverlapingPackages: Error 0x%lx while attempting to retrieve information about package %s

FindOverlapingPackages: Branch information is missing for %s.

FindOverlapingPackages: Error 0x%lx while retrieving branch information about %s.

%s\%s\svcpack\%s.exe

%s does not exist, skipping search for overlapping files.

%s\%s\svcpack\HFINT.DAT

Version: %s

Branch: %s

FileName: %s

Reinventory is required for %s: %s -> %s

IntegrateHotfix: Error 0x%lx while integrating hotfix %s.

IntegrateHotfix: Branch initialization is required for branching packages, terminating execution.

IntegrateHotfix: Error 0x%lx updating branches.inf

IntegrateHotfix: Package %s is not valid for target %s.

IntegrateHotfix: Error 0x%lx while creating the %s\%s\svcpack folder.

IntegrateHotfix: Error 0x%lx while gathering information about target %s.

WIAddKeyNode: Unable to allocate memory for new key node.

WIEnumKey: wrong input parameter pLastKey (0X%x) or inconsistent state of in memory inf, keyIndex (0X%x) secIndex(0X%x)

WIOpenInf: Error 0x%lx while reading file %s

WIOpenInf: Unable to allocate enough memory to load %s.

WIOpenInf: Error 0x%lx while opening file %s.

WIFlushToFile: Error 0x%lx while writing to file %s.

WIFlushToFile: Error 0x%lx while opening file %s.

%s=%s

WICloseInf: Error writing inf to file %s.

In Function %s, line %d, RegQueryValueEx failed with error 0x%lx

In Function %s, line %d, RegOpenKeyEx failed with error 0x%lx

In Function %s, line %d, RegQueryValueEx failed, not a DWORD type

In Function %s, line %d, RegSetValueEx failed with error 0x%lx

In Function %s, line %d, RegCreateKeyEx failed with error 0x%lx

PSShL

t0=HKLMt =HKCRt

=HKCRt

=.cabu

PSSShtP

QPSShtP

t.SSj

SSSSSSh

SSSSSSh!

SSSSSSh"

SSSSSSh#

SSSSSSh$

SSSSSSh%

SSSSSSh&

SSSSSSh'

SSSSSSh(

t.VVj

GSSSSh

;C t.WWWW

=.idau

.relu

<.uX;]

SSSShPN

PSSh<

u#SSSShL

PSSSSSSh

u"SSSh

SETUPAPI.dll

SetupDiOpenDevRegKey

CM_Open_Class_KeyA

ADVAPI32.dll

COMCTL32.dll

CRYPT32.dll

GDI32.dll

imagehlp.dll

KERNEL32.dll

MPR.dll

msvcrt.dll

ntdll.dll

ole32.dll

OLEAUT32.dll

PSAPI.DLL

RPCRT4.dll

SHELL32.dll

UPDSPAPI.dll

USER32.dll

USERENV.dll

VERSION.dll

WINSPOOL.DRV

ReportEventA

RegLoadKeyA

RegUnLoadKeyA

RegCreateKeyExW

RegQueryInfoKeyA

RegSaveKeyA

RegFlushKey

RegOpenKeyA

RegSetKeySecurity

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegOpenKeyExA

RegCloseKey

RegOpenKeyExW

CertCreateCertificateContext

CertOpenStore

CertSetCertificateContextProperty

CertAddCertificateContextToStore

CertCloseStore

CertFreeCertificateContext

GetWindowsDirectoryW

GetProcessHeap

GetWindowsDirectoryA

_acmdln

NtYieldExecution

EnumWindowStationsA

OpenWindowStationA

GetProcessWindowStation

SetProcessWindowStation

CloseWindowStation

EnumWindows

EnumChildWindows

D:\binaries.x86fre\SCP_WPA\update.PDB

software\microsoft\active setup\installed components\{a00bf2eb-56ee-4fde-b5ea-6a8fa425b2a5}

software\microsoft\active setup\installed components\{2eac6a2d-57a8-44d4-96f7-e32bab40ca5f}

Leave issued: file = %s, line = %d, ESP = 0xx, EBP = 0xx

c:\windows\$hf_mig$\KB968930

%WinDir%

%WinDir%\$968930Uinstall_KB968930$\*

No Windows Management Framework Core

%WinDir%\INF\oem11.inf

%WinDir%\$968930Uinstall_KB968930$

c:\windows\KB968930.log

KB968930Uninst.log

%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf

%WinDir%\$968930Uinstall_KB968930$\spuninst

c:\1a581e7121a380047c3556\

pdate\update.exe

%System%

:\1a581e7121a380047c3556\powershell_ise.resources.dll

lhost.resources.dll

ell.dll

lp.xml

c:\1a581e7121a380047c3556\update\update.inf

c:\windows\repair\setup.log

Starting process: "%WinDir%\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe" /install "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.Editor.dll"

t.dll"

t.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"

c:\windows

E.RESOURCES.DLL

.0 SP1 from hXXp://go.microsoft.com/fwlink/?linkid=153680 and rerun Windows Management Framework Core Setup

33333333333333330

NTDLL.DLL

ntuser.da_

sWatsonManifestMode.Cancel

WatsonManifestMode.Reboot

WatsonManifestMode.BeforeArchive

r (%s %d %s)

Wsxs.dll

ClassInstall32.NTAMD64

ClassInstall32.NTIA64

ClassInstall32.NTX86

ClassInstall32.NT

sProductInstall.ClassInfsToInstallAlways

.SPAttr

{4D36E97E-E325-11CE-BFC1-08002BE10318}

SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\update

sysoc.inf

Ocmanage.dll

%s\security\logs\%s.log

%s\security\database\%s.sdb

scecli.dll

%s%s%s

-d %s

%s%s%s%s%s

Main_ReportBtn

\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}

\StringFileInfo\xx\FileBranch

\inf\branches.inf

Prereq.PowerShell.Section

POWERSHELL_ISE.RESOURCES.DLL

LP.XML

ISE.RESOURCES.DLL

LHOST.RESOURCES.D

ENT.DLL-HELP.XML

Press the PAGE DOWN key to see the rest of the agreement.

%s Setup

Windows Service Pack Setup

6.3.0004.1 built by: dnsrv

UPDATE.EXE

Windows

Operating System

6.3.0004.1

IDC_BLOCKLIST_SP_MSGA

IDC_BLOCKLIST_SP_MSGB

Starting process:$The update.ver file is not correct.

You can only install this update on Service Pack %d.

There is no need to install this update.?Setup failed to access or correctly modify your SETUP.LOG file.XThe version of software you are running does not match

There is not enough disk space on %%s to install %1. Setup requires a minimum of %%d additional megabytes of free space or if you also want to archive the files for uninstallation, Setup requires %%d additional megabytes of free space. Free additional space on your hard disk and then try again.RYou do not have permission to update %1.

ASetup could not find the setup.log file

in your repair directory.FSetup could not find the update.inf file

Please shutdown your system manually.SCould not locate entry for HAL.DLL in SETUP.LOG to determine type of HAL to update.

You can only install this update on Build %d to Build %d .^The version of Windows you have installed does not match the update you are trying to install.9%1 Setup could not start the hotfix installation program.'%1 Setup could not locate the %2 files.

This Web-based update requires Internet Explorer 3.0 or later.

For instructions on how to download a version of this update that does not require a Web connection during installation, download and install %1 from hXXp://VVV.Microsoft.com/Downloads

Please contact your hardware vendor for additional information on obtaining a %3 that has been qualified for your system configuration.JNot all files necessary to perform an integrated installation are present.<Cannot install %1.

The system must be restarted before installing the %1, to allow some prior file update operations to complete. (These operations were previously scheduled by some other install or uninstall operation.)

You do not have enough free disk space on %%s to archive the uninstall files. To install %1 with backup files for uninstall, an additional %%dMB is required.\Unable to locate RSAENHS.DLL in the update directory, high encryption for uninstall aborted.]Unable to locate UPDENCIN.INF in the update directory, high encryption for uninstall aborted.QUnable to locate UPDENCTS.INF in the update directory, unable to export TS files.'High encryption ENCINST process failed.2%1 Setup is ready to begin replacing system files.

Connecting to %s

Connected to %s

%dKB remaining%s

 The server did not respond (error code %d).

If this error persists after you have clicked Retry several times, download and install %1 from hXXp://VVV.Microsoft.com/Downloads. This will give you instructions on how to download a version of this update that does not require a Web connection during installation.G%1 Setup determined that the following downloaded %2 file is corrupt:

%1 Setup ErroriThe file %s is open or in use by another application.

Close all other applications and then click Retry.E%1 Setup could not backup registry key

%%s\%%s

to file %%s\%%s. %%s

%%s\%%s,\'%%s\'. %%s

Select 'OK' to undo the changes that have been made.=%%s

.Unable to print the END USER LICENSE AGREEMENT

The version of Windows you have installed is newer than the update you are trying to install. There is no need to install this update.gThis package does not apply to the operating system you are running, and therefore cannot be installed.

Applying Hotpatches!The branches.inf file is invalid.!The updatebr.inf file is invalid.&Failed to migrate dependent packages.

Details%Completing the %1 Installation Wizard

To apply the changes, the wizard has to restart Windows. To restart Windows automatically, click Finish. If you want to restart later, select the Do not restart now check box, and then click Finish.YYou have successfully completed the %1 Setup Wizard.

are also listed in the svcpack.log file.5Do you want to continue installing this service pack?YThe service pack install cannot continue until these hotfixes are applied to your system.

You can only install this update only on Build %d .

Integrating filesiPlease wait while setup integrates files from Windows Service Pack into your Windows installation folder.

Updating Your Windows Share

The product key used to install Microsoft Windows may not be valid.

For more information about why you have received this error message, and steps you can take to resolve this issue visit VVV.howtotell.com.

The core system file (kernel) used to start this computer is not a Microsoft Windows file. The Service Pack will not be installed. For more information, see Knowledge Base article %s at hXXp://support.microsoft.com.

Checking product key

[/help] [/quiet] [/passive] [/norestart] [/forcerestart] [/warnrestart] [/promptrestart] [/overwriteoem] [/nobackup] [/forceappsclose] [/integrate:<fullpath>] [/d:<path>] [/log:<fullpath>]

/passive

Creating file %s

Backing up file %s

Installing file %s

Copied file (delayed):ZAn error has occurred copying files from the Service Pack share to the distribution share..Integrated install has completed successfully.

The file %%s is missing from the %1 installation.

Press OK to cancel Setup.C%1 Setup is ready to begin upgrade of uninstall to high encryption.qIntegrated install failed. The language type or platform for the destination directory and %1 must be the same.

Copying file %sxIn order to successfully complete this installation, the following services will automatically be stopped and restarted.1Setup was unable to stop the following service:%spA reboot will probably be required in order to successfully complete this installation. Do you wish to continue?

9%1 Setup is executing. Please wait for Setup to complete.

Spawning instance %s

Updating the registry keys

Unpacking: %d remaining

readmesp.htm^Integrated install failed. The destination directory contains an evaluation copy of Windows.

Windows XP

Windows

[/help] [/quiet] [/passive] [/norestart] [/forcerestart] [/warnrestart] [/promptrestart] [/overwriteoem] [/nobackup] [/forceappsclose] [/integrate:<fullpath>] [/log:<fullpath>]

Starting service %s

Stopping service %s

Windows Server 2003

Consult the Service Pack documentation for more details about supported integration scenarios.

Windows %s has detected that one or more protected files on your computer have been modified. The Service Pack contains updated versions of those files, which work to provide a stable environment for your programs.

If you click Yes, the updated versions will overwrite the current files and you might lose certain customizations created by third-party programs, especially those that affect the graphic displayed when your computer starts up.

For more information, see Knowledge Base article <%s> at hXXp://support.microsoft.com.

You might need to restart your computer after you complete this update. To continue, click Next.MThe folder name is longer than the limit of 226 bytes.

Enter a shorter name.~Setup could not verify the integrity of the file Update.inf. Make sure the Cryptographic service is running on this computer.

This Service Pack cannot be installed on top of the %1 build currently installed on your computer. Cancel this installation process, uninstall your current %2 build, then re-install this Service Pack..An error in updating your system has occurred.

At minimum, you must have Service Pack %d installed.

The existing file %s contains High Encryption security, but the updated Hotfix file %s contains only Standard Encryption security. You can choose to replace the High Encryption security file with the updated Standard Encryption security file now, or you can skip this file to retain the existing file containing High Encryption security. See the readme.txt file for information on obtaining the updated High Encryption security components.

ONo LICENSE.TXT file was found in your Hotfix directory.

7Error reading LICENSE.TXT file.

Windows NT 4.0

Windows 2000

You might need to restart your computer after you complete this update. To continue, click Next.cPlease read the following license agreement. To continue with setup, you must accept the agreement.

Windows XP Version 2003

Express software update packages cannot be integrated. To download a version of the fix that can be integrated, visit hXXp://VVV.microsoft.com/downloads.wExtracted packages cannot be integrated. The /integrate switch must be used with the original software update package.

Send Report

Thank you for participating in our product improvement process. Microsoft treats all collected data as confidential and anonymous unless otherwise specified.%See what the restart report contains.

&Send Report

Update.EXE RestartReport

Report Restart Information

Sending this report helps us improve the user experience. We will statistically process the collected data to understand what initiated this request to restart your computer. This information will help us reduce the number of restarts caused by applying updates.

mscorsvw.exe_3620:

.text

`.data

.rsrc

@.reloc

EX_CATCH line %d

CACHE_S_FORMATETC_NOTSUPPORTED

CTL_E_GETNOTSUPPORTEDATRUNTIME

CTL_E_GETNOTSUPPORTED

CTL_E_SETNOTSUPPORTEDATRUNTIME

CTL_E_SETNOTSUPPORTED

CO_E_SERVER_EXEC_FAILURE

MK_E_INTERMEDIATEINTERFACENOTSUPPORTED

REGDB_E_KEYMISSING

OLE_E_ADVISENOTSUPPORTED

CO_E_INIT_SCM_EXEC_FAILURE

EX_THROW Type = 0x%x HR = 0x%x, line %d

ThrowHR: HR = %x

mscorsvw.pdb

_amsg_exit

_acmdln

MSVCR100_CLR0400.dll

_crt_debugger_hook

RegCloseKey

RegQueryInfoKeyW

RegOpenKeyExW

ADVAPI32.dll

GetWindowsDirectoryW

GetCPInfo

GetProcessHeap

KERNEL32.dll

MsgWaitForMultipleObjectsEx

USER32.dll

mscoree.dll

ole32.dll

OLEAUT32.dll

.PAVException@@

v1.0.3705

.PAVOutOfMemoryException@@

.PAVHRException@@

7 7$7(7,7074787

6$6,686\6|6

advapi32.dll

Wtsapi32.dll

kernel32.dll

mscorsvc.dll

Microsoft .NET Runtime Optimization Service

Microsoft .NET Runtime Optimization Service has been uninstalled

Failed to uninstall Microsoft .NET Runtime Optimization Service

Microsoft .NET Runtime Optimization Service has been installed

Failed to install Microsoft .NET Runtime Optimization Service

Failed to retrieve Microsoft .NET Runtime Optimization Service interface

Set service status to %d

Service control handler op %u, event type %u

\ndpsetup.bat

Created repair process in session %d, process ID %d

Unable to create repair process, error %d

Microsoft.NET\NETFXRepair.exe

Error changing token session ID, error %d

Error duplicating current process token, error %d

Error getting current process token, error %d

Session %u has become active.

Aborting repair due to unexpected wait status %u

Found active session %u

Aborting repair due to error %u from WTSEnumerateSessions

StartServiceCtrlDispatcher failed with error %d. Will try slow path

\fusion.localgac

\v2.0.50727

SOFTWARE\Microsoft\.NetFramework

v4.0.0

SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN32\Default

SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN32\Default

ngenrootstorelock.dat

ngenservicelock.dat

FastStartupCheck(isPrivateRuntime=%d)

yKERNEL32.DLL

Software\Microsoft\.NETFramework

RestrictedGCStressExe

EnableInternetHREFexes

NGENServiceWaitPassiveWork

NGENServicePassiveWorkWaitTimeout

NGENServicePassiveHardDiskIdleTimeout

NGENServicePassiveExceptInputTimeout

MD_ForceNoColDesSharing

UNSUPPORTED_DbgDontResumeThreadsOnUnhandledException

DbgTransportProxyAddress

DbgRedirectCreateCmd

DbgRedirectCommonCmd

DbgRedirectAttachCmd

mscorrc.dll

v4.0.30319

.NET Runtime Optimization Service

4.0.30319.1 (RTMRel.030319-0100)

mscorsvw.exe

.NET Framework

4.0.30319.1

mscorsvw.exe_2620:

.text

`.data

.rsrc

@.reloc

EX_CATCH line %d

CACHE_S_FORMATETC_NOTSUPPORTED

CTL_E_GETNOTSUPPORTEDATRUNTIME

CTL_E_GETNOTSUPPORTED

CTL_E_SETNOTSUPPORTEDATRUNTIME

CTL_E_SETNOTSUPPORTED

CO_E_SERVER_EXEC_FAILURE

MK_E_INTERMEDIATEINTERFACENOTSUPPORTED

REGDB_E_KEYMISSING

OLE_E_ADVISENOTSUPPORTED

CO_E_INIT_SCM_EXEC_FAILURE

EX_THROW Type = 0x%x HR = 0x%x, line %d

ThrowHR: HR = %x

mscorsvw.pdb

_amsg_exit

_acmdln

MSVCR100_CLR0400.dll

_crt_debugger_hook

RegCloseKey

RegQueryInfoKeyW

RegOpenKeyExW

ADVAPI32.dll

GetWindowsDirectoryW

GetCPInfo

GetProcessHeap

KERNEL32.dll

MsgWaitForMultipleObjectsEx

USER32.dll

mscoree.dll

ole32.dll

OLEAUT32.dll

.PAVException@@

v1.0.3705

.PAVOutOfMemoryException@@

.PAVHRException@@

7 7$7(7,7074787

6$6,686\6|6

advapi32.dll

Wtsapi32.dll

kernel32.dll

mscorsvc.dll

Microsoft .NET Runtime Optimization Service

Microsoft .NET Runtime Optimization Service has been uninstalled

Failed to uninstall Microsoft .NET Runtime Optimization Service

Microsoft .NET Runtime Optimization Service has been installed

Failed to install Microsoft .NET Runtime Optimization Service

Failed to retrieve Microsoft .NET Runtime Optimization Service interface

Set service status to %d

Service control handler op %u, event type %u

\ndpsetup.bat

Created repair process in session %d, process ID %d

Unable to create repair process, error %d

Microsoft.NET\NETFXRepair.exe

Error changing token session ID, error %d

Error duplicating current process token, error %d

Error getting current process token, error %d

Session %u has become active.

Aborting repair due to unexpected wait status %u

Found active session %u

Aborting repair due to error %u from WTSEnumerateSessions

StartServiceCtrlDispatcher failed with error %d. Will try slow path

\fusion.localgac

\v2.0.50727

SOFTWARE\Microsoft\.NetFramework

v4.0.0

SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN32\Default

SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN32\Default

ngenrootstorelock.dat

ngenservicelock.dat

FastStartupCheck(isPrivateRuntime=%d)

yKERNEL32.DLL

Software\Microsoft\.NETFramework

RestrictedGCStressExe

EnableInternetHREFexes

NGENServiceWaitPassiveWork

NGENServicePassiveWorkWaitTimeout

NGENServicePassiveHardDiskIdleTimeout

NGENServicePassiveExceptInputTimeout

MD_ForceNoColDesSharing

UNSUPPORTED_DbgDontResumeThreadsOnUnhandledException

DbgTransportProxyAddress

DbgRedirectCreateCmd

DbgRedirectCommonCmd

DbgRedirectAttachCmd

mscorrc.dll

v4.0.30319

.NET Runtime Optimization Service

4.0.30319.1 (RTMRel.030319-0100)

mscorsvw.exe

.NET Framework

4.0.30319.1

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

mofcomp.exe:4092
WindowsXP-KB968930-x86-ENG.exe:900
ngen.exe:3760
ngen.exe:3984
ngen.exe:3616
ngen.exe:1932
ngen.exe:3940
ngen.exe:4004
ngen.exe:3744
ngen.exe:3908
ngen.exe:3800
ngen.exe:3840
ngen.exe:4064
ngen.exe:3892
ngen.exe:2072
ngen.exe:1144
ngen.exe:1232
PSCustomSetupUtil.exe:2928
PSCustomSetupUtil.exe:1096
PSCustomSetupUtil.exe:3204
PSCustomSetupUtil.exe:2336
PSCustomSetupUtil.exe:2484
PSCustomSetupUtil.exe:2996
PSCustomSetupUtil.exe:2856
PSCustomSetupUtil.exe:1876
PSCustomSetupUtil.exe:3152
PSCustomSetupUtil.exe:2268
PSCustomSetupUtil.exe:2412
PSCustomSetupUtil.exe:3096
PSCustomSetupUtil.exe:828
PSCustomSetupUtil.exe:3308
PSCustomSetupUtil.exe:2532
PSCustomSetupUtil.exe:328
PSCustomSetupUtil.exe:2160
wsmanhttpconfig.exe:2900
wsmanhttpconfig.exe:3492
%original file name%.exe:524
%original file name%.exe:1612
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%System%\wbem\Logs\mofcomp.log (1068 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
C:\1a581e7121a380047c3556\wsmtxt.xsl (2 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\1a581e7121a380047c3556\registry.format.ps1xml (20 bytes)
C:\1a581e7121a380047c3556\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\1a581e7121a380047c3556\about_logical_operators.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_functions.help.txt (586 bytes)
C:\1a581e7121a380047c3556\winrmprov.mof (789 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\1a581e7121a380047c3556\about_comparison_operators.help.txt (11 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.security.dll (1145 bytes)
C:\1a581e7121a380047c3556\diagnostics.format.ps1xml (590 bytes)
C:\1a581e7121a380047c3556\about_types.ps1xml.help.txt (481 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.editor.dll (14450 bytes)
C:\1a581e7121a380047c3556\about_language_keywords.help.txt (11 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\1a581e7121a380047c3556\powershellcore.format.ps1xml (1492 bytes)
C:\1a581e7121a380047c3556\about_preference_variables.help.txt (37 bytes)
C:\1a581e7121a380047c3556\about_functions_advanced_methods.help.txt (9 bytes)
C:\1a581e7121a380047c3556\wsmplpxy.dll (603 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\1a581e7121a380047c3556\winrs.exe (1154 bytes)
C:\1a581e7121a380047c3556\wtrinstaller.ico (4803 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\1a581e7121a380047c3556\about_break.help.txt (792 bytes)
C:\1a581e7121a380047c3556\about_hash_tables.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_command_precedence.help.txt (8 bytes)
C:\1a581e7121a380047c3556\about_debuggers.help.txt (21 bytes)
C:\1a581e7121a380047c3556\about_wmi_cmdlets.help.txt (8 bytes)
C:\1a581e7121a380047c3556\about_requires.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_parameters.help.txt (9 bytes)
C:\1a581e7121a380047c3556\wsmanhttpconfig.exe (3009 bytes)
C:\1a581e7121a380047c3556\about_trap.help.txt (10 bytes)
C:\1a581e7121a380047c3556\winrm.ini (1956 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\1a581e7121a380047c3556\about_job_details.help.txt (824 bytes)
C:\1a581e7121a380047c3556\windowspowershellhelp.chm (26041 bytes)
C:\1a581e7121a380047c3556\about_transactions.help.txt (1011 bytes)
C:\1a581e7121a380047c3556\about_path_syntax.help.txt (5 bytes)
C:\1a581e7121a380047c3556\getevent.types.ps1xml (15 bytes)
C:\1a581e7121a380047c3556\wsmprovhost.exe (657 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\1a581e7121a380047c3556\about_profiles.help.txt (457 bytes)
C:\1a581e7121a380047c3556\about_regular_expressions.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_prompts.help.txt (7 bytes)
C:\1a581e7121a380047c3556\spupdsvc.exe (287 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\1a581e7121a380047c3556\wsmsvc.dll (15909 bytes)
C:\1a581e7121a380047c3556\system.management.automation.dll-help.xml (16567 bytes)
C:\1a581e7121a380047c3556\update\update.ver (14 bytes)
C:\1a581e7121a380047c3556\winrssrv.dll (12 bytes)
C:\1a581e7121a380047c3556\about_assignment_operators.help.txt (379 bytes)
C:\1a581e7121a380047c3556\pwrshsip.dll (24 bytes)
C:\1a581e7121a380047c3556\about_format.ps1xml.help.txt (17 bytes)
C:\1a581e7121a380047c3556\about_while.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_command_syntax.help.txt (5 bytes)
C:\1a581e7121a380047c3556\wsmauto.mof (4 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\1a581e7121a380047c3556\spmsg.dll (495 bytes)
C:\1a581e7121a380047c3556\about_type_operators.help.txt (5 bytes)
C:\1a581e7121a380047c3556\eventforwarding.adm (2 bytes)
C:\1a581e7121a380047c3556\about_functions_advanced.help.txt (3 bytes)
C:\1a581e7121a380047c3556\about_if.help.txt (3 bytes)
C:\1a581e7121a380047c3556\powershelltrace.format.ps1xml (344 bytes)
C:\1a581e7121a380047c3556\microsoft.wsman.runtime.dll (33 bytes)
C:\1a581e7121a380047c3556\spuninst.exe (3787 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.editor.resources.dll (562 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\1a581e7121a380047c3556\about_remote_output.help.txt (887 bytes)
C:\1a581e7121a380047c3556\about_switch.help.txt (489 bytes)
C:\1a581e7121a380047c3556\about_eventlogs.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_arithmetic_operators.help.txt (168 bytes)
C:\1a581e7121a380047c3556\about_remote_requirements.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_script_internationalization.help.txt (9 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\1a581e7121a380047c3556\about_aliases.help.txt (6 bytes)
C:\1a581e7121a380047c3556\winrm.vbs (2727 bytes)
C:\1a581e7121a380047c3556\pscustomsetuputil.exe (316 bytes)
C:\1a581e7121a380047c3556\update\eula.txt (586 bytes)
C:\1a581e7121a380047c3556\default.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_windows_powershell_ise.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_history.help.txt (3 bytes)
C:\1a581e7121a380047c3556\pssetupnativeutils.exe (9 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\1a581e7121a380047c3556\update\kb968930xp.cat (512 bytes)
C:\1a581e7121a380047c3556\windowsremotemanagement.adm (574 bytes)
C:\1a581e7121a380047c3556\bitstransfer.psd1 (950 bytes)
C:\1a581e7121a380047c3556\about_join.help.txt (2 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\1a581e7121a380047c3556\about_operators.help.txt (770 bytes)
C:\1a581e7121a380047c3556\about_scripts.help.txt (12 bytes)
C:\1a581e7121a380047c3556\wsmres.dll (6164 bytes)
C:\1a581e7121a380047c3556\about_throw.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_remote.help.txt (7 bytes)
C:\1a581e7121a380047c3556\about_signing.help.txt (12 bytes)
C:\1a581e7121a380047c3556\about_quoting_rules.help.txt (659 bytes)
C:\1a581e7121a380047c3556\about_script_blocks.help.txt (3 bytes)
C:\1a581e7121a380047c3556\winrshost.exe (22 bytes)
C:\1a581e7121a380047c3556\dotnettypes.format.ps1xml (266 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.management.dll (3386 bytes)
C:\1a581e7121a380047c3556\about_remote_troubleshooting.help.txt (146 bytes)
C:\1a581e7121a380047c3556\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\1a581e7121a380047c3556\about_jobs.help.txt (12 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\1a581e7121a380047c3556\wsmpty.xsl (1 bytes)
C:\1a581e7121a380047c3556\about_escape_characters.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_return.help.txt (3 bytes)
C:\1a581e7121a380047c3556\about_session_configurations.help.txt (276 bytes)
C:\1a581e7121a380047c3556\winrsmgr.dll (2 bytes)
C:\1a581e7121a380047c3556\about_split.help.txt (10 bytes)
C:\1a581e7121a380047c3556\update\spcustom.dll (23 bytes)
C:\1a581e7121a380047c3556\about_foreach.help.txt (10 bytes)
C:\1a581e7121a380047c3556\about_core_commands.help.txt (221 bytes)
C:\1a581e7121a380047c3556\about_variables.help.txt (6 bytes)
C:\1a581e7121a380047c3556\bitstransfer.format.ps1xml (16 bytes)
C:\1a581e7121a380047c3556\about_execution_policies.help.txt (13 bytes)
C:\1a581e7121a380047c3556\profile.ps1 (772 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\1a581e7121a380047c3556\about_reserved_words.help.txt (1 bytes)
C:\1a581e7121a380047c3556\about_ref.help.txt (1 bytes)
C:\1a581e7121a380047c3556\about_wildcards.help.txt (3 bytes)
C:\1a581e7121a380047c3556\about_continue.help.txt (1 bytes)
C:\1a581e7121a380047c3556\winrm.cmd (35 bytes)
C:\1a581e7121a380047c3556\about_redirection.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_locations.help.txt (794 bytes)
C:\1a581e7121a380047c3556\about_bits_cmdlets.help.txt (7 bytes)
C:\1a581e7121a380047c3556\wsmwmipl.dll (2816 bytes)
C:\1a581e7121a380047c3556\about_ws-management_cmdlets.help.txt (405 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\1a581e7121a380047c3556\powershell.exe.mui (10 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.security.resources.dll (9 bytes)
C:\1a581e7121a380047c3556\about_pssession_details.help.txt (9 bytes)
C:\1a581e7121a380047c3556\certificate.format.ps1xml (155 bytes)
C:\1a581e7121a380047c3556\filesystem.format.ps1xml (133 bytes)
C:\1a581e7121a380047c3556\about_windows_powershell_2.0.help.txt (453 bytes)
C:\1a581e7121a380047c3556\winrmprov.dll (591 bytes)
C:\1a581e7121a380047c3556\about_parsing.help.txt (2 bytes)
C:\1a581e7121a380047c3556\about_automatic_variables.help.txt (14 bytes)
C:\1a581e7121a380047c3556\windowsremoteshell.adm (12 bytes)
C:\1a581e7121a380047c3556\wsman.format.ps1xml (837 bytes)
C:\1a581e7121a380047c3556\about_scopes.help.txt (76 bytes)
C:\1a581e7121a380047c3556\about_pipelines.help.txt (411 bytes)
C:\1a581e7121a380047c3556\$shtdwn$.req (788 bytes)
C:\1a581e7121a380047c3556\about_comment_based_help.help.txt (595 bytes)
C:\1a581e7121a380047c3556\powershell_ise.resources.dll (4 bytes)
C:\1a581e7121a380047c3556\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\1a581e7121a380047c3556\update\update.inf (2457 bytes)
C:\1a581e7121a380047c3556\about_line_editing.help.txt (1 bytes)
C:\1a581e7121a380047c3556\about_remote_faq.help.txt (775 bytes)
C:\1a581e7121a380047c3556\update\update.exe (10748 bytes)
C:\1a581e7121a380047c3556\about_pssnapins.help.txt (6 bytes)
C:\1a581e7121a380047c3556\pspluginwkr.dll (1756 bytes)
C:\1a581e7121a380047c3556\microsoft.wsman.management.resources.dll (13 bytes)
C:\1a581e7121a380047c3556\system.management.automation.resources.dll (3153 bytes)
C:\1a581e7121a380047c3556\powershell_ise.exe (2526 bytes)
C:\1a581e7121a380047c3556\about_environment_variables.help.txt (417 bytes)
C:\1a581e7121a380047c3556\about_do.help.txt (2 bytes)
C:\1a581e7121a380047c3556\pwrshplugin.dll (802 bytes)
C:\1a581e7121a380047c3556\about_providers.help.txt (59 bytes)
C:\1a581e7121a380047c3556\update\updspapi.dll (5940 bytes)
C:\1a581e7121a380047c3556\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\1a581e7121a380047c3556\about_functions_advanced_parameters.help.txt (962 bytes)
C:\1a581e7121a380047c3556\about_modules.help.txt (13 bytes)
C:\1a581e7121a380047c3556\about_pssessions.help.txt (9 bytes)
C:\1a581e7121a380047c3556\winrscmd.dll (2907 bytes)
C:\1a581e7121a380047c3556\about_commonparameters.help.txt (12 bytes)
C:\1a581e7121a380047c3556\about_remote_jobs.help.txt (13 bytes)
C:\1a581e7121a380047c3556\about_properties.help.txt (7 bytes)
C:\1a581e7121a380047c3556\about_data_sections.help.txt (5 bytes)
C:\1a581e7121a380047c3556\about_try_catch_finally.help.txt (7 bytes)
C:\1a581e7121a380047c3556\wsmauto.dll (1842 bytes)
C:\1a581e7121a380047c3556\importallmodules.psd1 (438 bytes)
C:\1a581e7121a380047c3556\about_arrays.help.txt (8 bytes)
C:\1a581e7121a380047c3556\help.format.ps1xml (3947 bytes)
C:\1a581e7121a380047c3556\about_for.help.txt (146 bytes)
C:\1a581e7121a380047c3556\about_methods.help.txt (6 bytes)
C:\1a581e7121a380047c3556\about_special_characters.help.txt (3 bytes)
C:\1a581e7121a380047c3556\pwrshmsg.dll (4 bytes)
C:\1a581e7121a380047c3556\wevtfwd.dll (3351 bytes)
C:\1a581e7121a380047c3556\about_objects.help.txt (2 bytes)
C:\1a581e7121a380047c3556\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\1a581e7121a380047c3556\types.ps1xml (2510 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)
%System%\SETBF.tmp (42 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (7641 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%System%\config\SYSTEM.LOG (6201 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (3198 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1579 bytes)
%WinDir%\inf\oem11.PNF (10040 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (220274 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%WinDir%\inf\oem11.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
%WinDir%\assembly\tmp\7Y38EJOT\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\SKPUZ49F\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
%WinDir%\assembly\tmp\KBGLQW16\Microsoft.WSMan.Management.resources.dll (13 bytes)
%WinDir%\assembly\tmp\H8EJOTY3\Microsoft.WSMan.Runtime.dll (7 bytes)
%WinDir%\assembly\tmp\LDINSW15\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
%WinDir%\assembly\tmp\7Y38DINT\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\KMSX27CH\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\OFKPV17C\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
%WinDir%\assembly\tmp\XOTY37CG\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
%WinDir%\assembly\tmp\DBHNSX38\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
%WinDir%\assembly\tmp\RJPUZ49E\Microsoft.WSMan.Management.dll (9608 bytes)
%WinDir%\assembly\tmp\ZQV05AFK\Microsoft.PowerShell.Security.resources.dll (9 bytes)
%WinDir%\assembly\tmp\KBGLQV05\System.Management.Automation.dll (81046 bytes)
%WinDir%\assembly\tmp\SJOTY38D\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
%WinDir%\assembly\tmp\MEJPUZ49\System.Management.Automation.resources.dll (9320 bytes)
%WinDir%\assembly\tmp\E6BGMRW1\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
%WinDir%\assembly\tmp\5W16BGLQ\Microsoft.PowerShell.Security.dll (2392 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startupx\system.pif (2105 bytes)
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Generic.15099347_d1fd8cc62a

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Generic.15099347_d1fd8cc62a

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet